The Register and others are reporting that Synology NAS units are being hit with a ransomware package that encrypts users' files and charges them money to unlock; affected users logging into the web interface will see a message saying "All important files on this NAS have been encrypted using strong crypotgraphy". Currently there is no fix listed to patch the underlying vulnerability.
More information can be found on this Synology forums thread; if you're affected, turn your Synology off now. If you expose your NAS to the outside world through UPnP or port forwarding, now would be a good time to disable those rules.
This discussion has been archived.
No new comments can be posted.
Synology NAS Units Hit by Ransomware
|
Log In/Create an Account
| Top
| 29 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 5, Informative) by MrNemesis on Tuesday August 05 2014, @02:49PM
Since I wrote the submission, Synology have updated the thread but it appears to be... er... Soyled? Soydotted? Soylentilled? at the moment so I've quoted the latest below. Long story short, the vuln was identified in December 2013 with a patch released soon after and so is thought to only affect models running older firmware.
The changelogs for DSM 4.3-3827 list several fixed vulnerabilities although the listed CVE-2013-6955 [rapid7.com] is a component of the Synology code that allows an unauthenticated user to remotely inject code as root, so any Synology with its web server facing the internet was theoretically vulnerable (and a rate-limiting firewall or ban-on-X-failed-logins wouldn't have helped you). Does this mean Synology are running their web server as root?
Given my own spotty experience with the tardiness of security updates for NAS appliances (not to mention overall shoddiness of code and lack of reliability testing that sent me straight back to Debian), here's hoping we'll see better integration of other highly useful tools like iptables and OpenVPN into NAS appliances in future in order to make these "personal cloud" services running from your home work more securely... but I won't be holding my breath.
Anyone here get bitten by this?
"To paraphrase Nietzsche, I have looked into the abyss and been sick in it."
(Score: 1) by TK-421 on Tuesday August 05 2014, @02:56PM
For many folks this will be their pain point that teaches them the importance of enforcing a data backup strategy.
(Score: 3, Funny) by elgrantrolo on Tuesday August 05 2014, @03:28PM
hmmm, maybe my DVD-Rs weren't as bad as I thought!
(Score: 2) by bryan on Tuesday August 05 2014, @06:27PM
They are when the NAS is an eight bay RAID5 with 6TB drives. Or in other words it's over 9000 disks !
(Score: 2) by kaszz on Tuesday August 05 2014, @07:25PM
Only if it's BlueRay 25 GB (or dual 50 GB).
Still 240 discs for 6 TByte..
(Score: 3, Interesting) by frojack on Tuesday August 05 2014, @05:34PM
For others it will teach that you don't put a commercial off the shelf disk device directly on the internet.
I recently picked up a few terabytes of raided NAS (western digital) for storage, and even though it has that capability I can't imaging me exposing that to the net.
No, you are mistaken. I've always had this sig.
(Score: 1) by TK-421 on Tuesday August 05 2014, @07:31PM
Precisely!
It's WTF*WTF and the face palm result is exponential. I won't even pretend to be immune from making mistakes but a few minutes in a water cooler conversation with knowledgeable associate or technical cohort prior to "go-live" can pay dividends in the long run.
(Score: 2) by cafebabe on Wednesday August 06 2014, @07:05AM
There's a word for that but it is Not Safe For Work [wiktionary.org].
1702845791×2
(Score: 2) by Geotti on Tuesday August 05 2014, @09:27PM
Yeah, I'm just waiting for this to happen to "cloud storage" so I can say "told you so!"
(Score: 4, Interesting) by VLM on Tuesday August 05 2014, @03:11PM
Both embedded devices, special remix distros, and appliances all seem to boil down to "we're just like Debian, except no bug tracking and no testing and no security support and rare updates, but we do have a really nice wordpress theme" So its hard to take them seriously when "apt-get install samba" on a Debian box which does have support after the sale works just as well and is cheaper and simpler to use as an overall system.
(Score: 2, Insightful) by Anonymous Coward on Tuesday August 05 2014, @03:14PM
> works just as well and is cheaper and simpler to use as an overall system.
That's simply not true for the majority of customers who buy these systems.
(Score: 3, Interesting) by VLM on Tuesday August 05 2014, @03:35PM
I think you missed the "as an overall system" part.
Now that their NAS has been powned, they're going to have to restore from backups they probably don't have and / or redo all their work or redownload stuff, its all very complicated. It would have been a lot simpler and easier as an overall total to just install Debian.
If the real world didn't exist and the appliances worked bug free never powned like the advertising claims, then you'd be correct. But we don't live in that world. The customers have been sold a temporary illusion of convenience, not actual convenience.
(Score: 5, Interesting) by Jaruzel on Tuesday August 05 2014, @04:20PM
Off the shelf NASs sell convenience over data-security. I know of an IT-literate guy who 'just wanted something that worked' as storage for all his 10,000s of semi-pro photos. So he bought a well known NAS brand with very large disks in it. He set up a RAID array and felt his data was very secure and safe.
Fast forward to just over a year later, and the motherboard in the NAS went bang. No problem he thought, 'I'll just pop the array onto a Linux box to recover my data.'
Nope. The NAS had formatted the RAID array with some bespoke secret formatting system, and no amount of fiddling in Linux would talk to it. Not being able to just buy a replacement motherboard, he eventually had to buy a replacement NAS of the same model via eBay for ~$500 and swap his disks into it.
...
Moral: Just build a bloody Linux/Windows server, put some disks in it, and run software RAID*.
-Jar
*This is what I do. I've survived 2 server failures without losing any data.
This is my opinion, there are many others, but this one is mine.
(Score: 3, Insightful) by datapharmer on Tuesday August 05 2014, @05:05PM
Shame on you for suggesting software raid. The proper solution is a hardware raid and a) buy a warranty that covers replacement parts as quickly as you need them available or b) have spare parts on hand.
This is simply the cost of doing business. Software raid can have huge performance penalties, doesn't support hot swapping drives, and can leave you with a corrupt mess if you get into certain failure scenarios.
(Score: 3, Interesting) by MrNemesis on Tuesday August 05 2014, @05:32PM
I run software RAID on all my home servers, and it very definitely does support hot-swapping. Most bog-standard software RAID (common in every linux-based NAS I've used) doesn't use any proprietary disc signatures either so I'm curious if the GP will name names as to his NAS vendor.
I've had far worse luck with hardware RAID which, when the cards do go pop, you'll frequently need to buy a whole new RAID card of the same family to go with it that will frequently cost as much as a small server, whereas with linux softraid you can just plug the drives into your nearest linux box (or generic box with a USB bootable linux distro) and providing you have enough SATA controllers, mdadm will detect the discs, create the array and leave it for you to mount someplace at which point you can splurge the files off onto another medium of your choice
The performance penalty of software RAID vs. hardware RAID is, for me at least, unnoticeable. Most of the performance problems I've seen from people running softraid is the awful SATA controllers that you get on some consumer motherboards - the silicon image ones back in the day, or the marvell ones these days, are utterly abysmal at random IO. If you only need four spindles then you can usually find motherboards with the excellent intel SATA controllers or the much-better-than-people-think AMD controllers with enough ports; if you need more than that you're generally better off buying a cheap LSI HBA (or better still, buy a cheap IBM M1015 HBA and reflash it to the LSI 9211-8i) and avoiding the chipset controllers altogether.
IMHO the only unquestionable benefit that hardware RAID brings are twofold: first is that the cache memory is always, always ECC whereas with softraid, too many people run it on standard non-ECC platforms and expect that'll be fine for their always-on file server that has 95% of its memory full of FS cache... but flip a bit in that cache, read it from a client and then write the flipped bit back to disc and you'll silently corrupt data. This is bad enough for "normal" filesystems but with ones like ZFS, the busted parity is enough to ruin your whole pool. Second is that RAID cards almost always come with a hookup to the backplane that'll helpfully shine a nice flashy light on your disc tray saying "this disc has failed"; with linux and its propensity to swap disc IDs around on every single boot (the drive you put in as /dev/sdg last week might be /dev/sdj now - I've not found a way of coaxing udev into naming discs by port number) I find myself being very, very careful about which disc to remove. This can be mitigated to a degree by using an "active" backplane which'll give you a better idea of what the discs are doing but is still far from perfect. But it still beats paying £350+ for a decent HW RAID card.
My £0.02.
"To paraphrase Nietzsche, I have looked into the abyss and been sick in it."
(Score: 0) by Anonymous Coward on Wednesday August 06 2014, @01:35AM
Mount by UUID isn't helpful to you in this use case?
(Score: 2) by MrNemesis on Wednesday August 06 2014, @06:39AM
All discs in a softraid use the same UUID - or rather, it's the filesystem that has a UUID and not the underlying block devices. If there's a way of telling udev that SCSI0:1:8 should always be /dev/sdx I haven't found it so if a disk does go wrong you'll generally have to futz around with udev and /sys to find out which SCSI port the device is sitting on and then backtrack to a bay number from there. Annoying.
"To paraphrase Nietzsche, I have looked into the abyss and been sick in it."
(Score: 0) by Anonymous Coward on Wednesday August 06 2014, @01:30AM
Ah hah hah hah hah ... so funny.
'proper' ... Ah hah hah hah hah
'simply the cost of doing business' ... Ah hah hah hah hah
'doesn't support hot swapping drives' ... Ah hah hah hah hah
Been away for a while, for more than a decade or so, have you?
I invite you to look into btrfs, lvm, hot swap bays, ...
Software will always stay more current than hardware, and on a NAS, you're limited by the net speed anyways.
On a bet your business, revenue generating installation, your points may be correct ... but then you wouldn't be using such. Which is all to say, you're not talking the use case of the OP.
Yep, go 'software' (after all, a hardware solution doesn't have any software, do it?)
JUST WHAT DO YOU THINK IS OPERATING THE HARDWARE RAID SOLUTIONS, ANYWAYS!!!
Go see FreeNAS, worst case, and get on with your day.
Oh ... and ... 'leave you with a corrupt mess if you get into certain failure scenarios.' ... umm, not unique to any solution, all will have their issues. They'll just be different ones.
(Score: 0) by Anonymous Coward on Wednesday August 06 2014, @01:37AM
And if your hardware raid card dies, you had better hope you have a spare.
And you'll be back searching for hardware on ebay.
Software raid will work on any hardware.
(Score: 2) by sjames on Wednesday August 06 2014, @05:57PM
Good luck with that. Sometimes the exact same HW with a different firmware revision won't recognize your old array. Even worse, it may 'helpfully' decide to reformat the RAID without even asking in order to make sure your data is good and dead.
I refuse to use any RAID where the on-disk format isn't publicly documented.
(Score: 2) by cafebabe on Wednesday August 06 2014, @07:42AM
A while back, it was possible for consumers to buy a four disk RAID10 system. However, a system so small is dangerous - even ignoring the consequences of RAID management by people saying "What's this flashing red light mean?" The MTBF [wikipedia.org] of four disks from one batch is the same as one disk. However, the MTBF of the proprietary RAID system is what makes it dangerous. If that fails first, data recovery could be dicey.
I've just investigated Western Digital's My Cloud [wdc.com] and I can safely say that it is a case of Do Not Want. Two disk proprietary RAID is a really quick way of losing your data. If you use it for video, the only useful feature is Jumbo Frames. However, it ships with Wake-On-LAN, Peer-To-Peer clients, IceCast, PHPBB, WordPress, Joomla, PHPMyAdmin and integration with at least two insecure public clouds.
1702845791×2
(Score: 0) by Anonymous Coward on Tuesday August 05 2014, @06:48PM
> I think you missed the "as an overall system" part.
>
> Now that their NAS has been powned
Nope, I did not miss it at all. The problem with your analysis is that you've weighted this case of being powned as if it applies to every NAS owner when in fact it just applies to a subset of customers of one NAS vendor.
(Score: 1, Interesting) by Anonymous Coward on Tuesday August 05 2014, @05:54PM
Most of these embedded boxes are some sort of busybox distro.
Synology is kind of scaterbrained with its updates. They are using a 2.6.x level of kernel. Many of the tools are 3+ years behind on updates.
However, having used one of these boxes for the past 2 years I can safely say it is pretty good. However, I would never put it on the wide wooly internet. The vintage of linux that is built in is way too old for that to be in any way safe. I was really hoping for a 3.12 to 14 bump in kernel in their last update. But they chickened out. However, for a filesystem I do not *need* it to be higher. It just needs to serve files. I was more after all the powersaving stuff intel had added in and security fixes.
no security support and rare updates
Synology seems to be on a 6 month cadence.
I tried building out my own. It is not terribly hard. I just kept ending up at a cost for similar features at about the same cost or higher. Once you add in a raid card capable of holding 5+ drives and MB and case and cpu and memory. With 0 support other than me and google. I may go that route next time in 5-10 years and smash my proxy server into it.
This is not an enterprise SAN with 8x20 gig fiber channels. It is a consumer grade NAS. It does however have some enterprise features like iscsi.
It was fairly plug and play. Just every couple of months I check on the firmware and make sure it is up to date. It has run for several thousand hours with maybe a couple hours of downtime. And that was me turning it off to move it and clean out the dust. I can easily saturate a 1 gig link.
(Score: 5, Funny) by chewbacon on Tuesday August 05 2014, @04:17PM
I prefer Soyled since I usually say "shit" when I find a overloaded server.
(Score: 2) by LoRdTAW on Tuesday August 05 2014, @05:48PM
Given my own spotty experience with the tardiness of security updates for NAS appliances (not to mention overall shoddiness of code and lack of reliability testing that sent me straight back to Debian), here's hoping we'll see better integration of other highly useful tools like iptables and OpenVPN into NAS appliances in future in order to make these "personal cloud" services running from your home work more securely... but I won't be holding my breath.
Stop buying black boxes.
There really is no way anyone will ever make decent NAS and personal cloud products. They are cheap and easy to use and that is ALL that matters to users. And cheap means support and firmware updates are an afterthought. Will there be a patch for an exploit for a three year old NAS box? Probably not. Either the company is out of business, stopped making NAS devices or doesn't care. Oh just buy a new one right? I am sure the person who owns the NAS is going to buy the latest model and transfer a terabyte or more. If they even know how to. Then throw in the fact that most entry level and consumer NAS devices have a sickly slow ARM SoC's that can barely push 10MBps. As long as it can stream photos, music or movies over WiFi to laptops, tablets, STB's or phones then it's all good.
Me? It's either Debian or FreeNAS. And FreeNAS is about as easy as it gets. It blows away any NAS on the market. The only issue is hardware cost can approach $1000 for a decent rig with ECC ram and 5 or more disks. Especially if you are running ZFS as ZFS needs ECC.
(Score: 0) by Anonymous Coward on Wednesday August 06 2014, @06:28PM
I have one of these and it works just fine. I needed to patch, but wasn't affected by the malware either. As long as you're not pointing the thing at your face and pulling the trigger, I don't think slow updates are that big a deal.
(Score: 2) by Runaway1956 on Tuesday August 05 2014, @03:54PM
I read the headline. I read "Synology NSA Units hit by Ransomware". I actually thought that the NSA was under attack. Some sneaky person changed the order of those letters before I came back to read the article!! Mr. Nemesis, did you do that?!?!?! Hey, why don't you rewrite the article, and submit it to The Onion? I'll enjoy that article a whole lot more!!
*sigh*
Lameness filter encountered. Post aborted!
Filter error: Please don't use so many caps. Using caps is like yelling!
Alright, when you read this, just imagine that "did you do that" is all caps. I intended to yell a little. How the heck can you do pseudo-drama without a little yelling?
(Score: 2) by mrcoolbp on Tuesday August 05 2014, @05:24PM
This will be fixed in an upcoming code-deploy.
(Score:1^½, Radical)
(Score: 2, Funny) by _NSAKEY on Tuesday August 05 2014, @07:07PM
Your subversive words have been cataloged, citizen.