Synology Urges You To Be On Guard Against Ransomware

Ransomware is some of the nastiest pieces of software in existence and in theory, it could hit anyone. Some people naturally have a greater risk, through the kind of work and tasks they do with their systems. But in theory, anyone can be unlucky enough to be hit with this kind of evil doing through security holes in the software being used.

This warning and reminder isn’t based on a specific new kind of ransomware, it is more to raise awareness of this kind of threats. Encryption-based ransomware such as CryptoWall, CryptoLocker, or TorrentLocker are on the rise, and they don’t just target Windows-based systems as many belief, they have also begun targeting network-based storage devices. Because of its stealthy nature and disastrous effects, ransomware is commonly perceived as a sophisticated, highly destructive, and unstoppable malware threat.

An advanced user isn’t really afraid of ransomware as they usually make backups of everything onto their network connected devices – or work directly from there via permanent shares and iSCSI setups. In the case of an infection, they simply wipe their system and install it again, and that would be the end of that story. Creators of this kind of nasty software know that and they want a piece of that pie too, which is why they have started to attack other systems besides workstations.

Where there is a threat, there is a way to defend yourself against it, at least in 99.9 percent of situations.

  • Update your operating system. Most people are up-to-date on their Windows and OS X updates simply because you’re being told when they’re available. But when was the last time you updated your NAS OS? Most NAS systems have automatic update features available and you should at the very least enable this for critical updates.
  • Install security software. A good anti-virus software is a good place to start and you’ll find solutions such as Avast or Intel security in your NAS’ app features. It will take up some resources to have it running, but those are resources that you should be happy to give up. Especially if you use the automatic download features found in all NAS units.
  • Disable Remote Desktop Protocol. Remote Desktop Protocol (RDP) is a very common target for malware, which is why you should disable it if you don’t absolutely need it.
  • Install Mobile Apps and use Push Notifications. Applications for your smartphone and tablet are another great way to stay on top of your headless systems. Together with the push notifications feature you get up-to-date statuses from your system right into your pocket.
  • Beware of your actions. The golden rule is as it always has been, beware of what you do. Take the one second extra to hover a link and check the destination in the status bar before you click it, turn off features such as Hide file extensions for known file types, and don’t trust anything until you have verified the authenticity.

This time, the warning came from Synology, but in theory, it could have come from any of the big manufacturers. The bigger a company and brand gets, the more likely it is that their systems will be actively searched for vulnerabilities. Luckily Synology and other NAS’ have even more features that will help you in case that you get hit by this kind of malware.

A multi-version backup of all your files is naturally the best defense. If everything is backed up, then the evil ones can take their ransom demand and stick it where the sun doesn’t shine. Backup all your vital files from your system and onto your NAS is the first step and from there on you should have at least one more backup step – this could be a cloud solution, another NAS, or external drives, for example. Synology’s new Cloud Station Backup app can do all this for you through a single app, so it is as easy as it’s ever been. Hyper Backup is another awesome tool that lets you enjoy a full range of multi-version backup destinations from local shared folders, expansion units, and external hard drives, to network shared folders, Rsync server, and public cloud services. It can also isolate data for further protection from internet threats.

If your system supports Snapshot Replication through Btrfs file system, then you got another level of protection right there. Snapshot Replication allows you to replicate data from a primary site to an offsite location up to every 5 minutes and 15 minutes for LUNs, ensuring all your critical data in shared folders or virtual machines in iSCSI LUNs can be recovered quickly in the event of a disaster.

Synology also put up a mini-site that summarizes all these information along with the step to follow if you should have been effected. The fact that this site even was made, speaks for the severity of these attacks and how far they’re spreading. So be aware, practice safe surfing, and show an evolved behavior.

Library Management Software May Be Open to Ransomware Attacks

When it comes to software, schools are either on top of it or a little behind. The reason being is mostly the budgets they have to deal with, one piece of software that is often ignored by schools, which tend to have to work on the “if it isn’t broken we don’t need to replace it” policy, is the Library management software. If people are using any of Follett’s old library management software, they may want to change that approach and update soon as it’s been revealed that the software may be open to ransomware attacks.

The vulnerability was discovered by Cisco’s Talos group and found that users could remotely install backdoors and ransomware code to the JBoss web server element of the library management system, leaving users with either a large bill or no access to their libraries information.

Follett has not sat idly by with them already releasing a patching system to fix the flaws that expose the system and it even picks up any unofficial files which may have been snuck on to compromise the servers. Working with the Talos group, Follett is seeking to inform customers about the security risk and how to address the issue, potentially removing the threat and damage it could do before someone manages to make any money off of your local schools’ library.

Get Your System Back From Petya Without Paying a Penny!

When it comes to security threats and risks, the community as a whole is at its best when it has a common goal. An example of this was two weeks ago when a new ransomware was found going by the name Petya. Petya didn’t act like normal ransomware but instead decided it would go after your master boot record, often locking people out their entire system until they received their password after paying a nice little fee. That was until some clever people got together to create some tools to get your system back from the ransomware without paying a single penny!

The original web tool came from the twitter account @leostone and lets you retrieve your file by providing it with a selection of data from the infected hard drive. Getting the data may seem like something difficult but a separate researcher went and created a tool titled Petya Sector Extractor that can find and retrieve the required data in seconds.

By removing the hard drive and plugging it into another computer, these tools can work together to retrieve the password required to unlock your master boot record from the clutches of Petya. The sector extractor tool is hosted by Bleeping Computer, a computer self-help forum, and reports that not only does the technique work but has also provided a step-by-step tutorial for anyone who isn’t 100% regarding how to return all their family photos at zero cost.

Ransomware Just Got Worse By The Use of JavaScript

Ransomware is probably one of the peskiest and most annoying things that your computer can catch. Not only do you lose access to your files, you have to pay a criminal to release them again. Even if you should choose to pay, there is no guarantee what-so-ever that the criminal will release the files again or hide more malware to hit you again once you are “free”. If that wasn’t bad enough, a new version of Ransom32 has arrived that exploits JavaScript in order to infect you and worst of all, barely any anti-virus and anti-malware programs will catch it at this time.

While all this sounds bad, there are ways to protect yourself and if you use common sense while surfing the web, then you should be safe anyway. Stay away from dubious websites and don’t touch any archive or executable downloaded from anything but official manufacturer websites. But let us get back to the new malware in question, the ransomware called Ransom32.

Ransom32 is built on the NW.js-Framework which was developed to build desktop applications on a javascript base. A really cool framework by the way. That, unfortunately, means that where we usually only see Windows users that are at risk, those with Linux and MacOS are equally vulnerable to Ransom32. Thanks to the use of this framework, the ransomware is able to get past the sandbox environment that JavaScript runs in these days.

The security researcher Fabian Wosar from EmsiSoft discovered the new Ransom32 as a self-extracting RAR-Archiv. If that archive is unpacked, it will hide in your temp folder and disguise itself as the Chrome web browser and be visible as Chrome.exe. This is where advanced users already had noticed it and not used any automatic-unpack function. However, should the new chrome.exe be executed, then it will start to encrypt all your files with AES-128 bit CTR-mode and also place itself firmly in the systems autostart features.

The Ransom32 creators have also made it very easy for people to use their tool. Evil minded people can access the tool via a Tor address. When on the site, they can customize the tools features before downloading it. The creators reportedly also use the same network for their control servers and connections. To top the whole thing off, the creators take 25 percent of the accumulated ransoms for themselves, and everything stays anonymous thanks to the use of Bitcoins.

We can only hope that the virus scanners and anti-malware tools get an update soon so the less tech-minded people won’t get infected by this nasty new piece of software. You can also read a lot more details about this new piece of software on the EmsiSoft blog.

TalkTalk Allegedly Knew About Hack a Week Ago and Tried to Cover It Up

While TalkTalk publicly admitted on Thursday night (22nd Octoboer) to its servers being hacked – “a significant and sustained cyberattack,” in its own words – the UK internet service provider is accused of knowing about the hack for up to a week before revealing it, and of trying to cover it up.

According to reports in The Telegraph, TalkTalk customers experienced attacks on their home computers and phonecalls from scammers who knew their names and account detail the week before the company made an official statement regarding the hack.

“Someone rang up on Monday claiming to be from TalkTalk and they had all my account details,” Mr Walter, a Senior Analytics Director for Moodys and TalkTalk customer, told The Telegraph. “My partner gave them remote access to our laptop before realising it was a scam, and pulling the plug. But a virus had already been put on the computer and it’s going to cost time and money to sort out. I think TalkTalk’s actions have shown extremely poor regard for their customers, and a failure to encrypt the data was sloppy in the extreme.”

“I have received two phone calls – one last Friday, the 16th, and then again this Tuesday,” another customer, Jeremy Cotgrove, revealed. “Both sounded dodgy, a delay on the line and someone speaking very poor English. I just put the phone down as it did not sound kosher.”

Keith Vaz, the Labour Member of Parliament for Leicester East and Chairman of the Home Affair Select Committee, said that there was emerging evidence to support the assertion that TalkTalk had tried to hide the scale of the crime. “Suggestions that TalkTalk has covered up both the scale and duration of this attack are alarming and unacceptable and must be thoroughly investigated,” Vaz added.

The attackers, who used a simple SQL Injection to access the servers – described as the equivalent of TalkTalk “leaving the backdoor open” – have purportedly sent a ransom e-mail to CEO Baroness Harding of Winscombe, the Conservative Peer professionally known as Dido Harding, who also admitted that some sensitive user data had not been encrpyted.

Image courtesy of The Drum.

TalkTalk CEO Recieved Ransom E-Mail Following Hack

Following last night’s cyber-attack on UK internet service provider TalkTalk, the company’s Chief Executive has revealed that she personally received a ransom e-mail, purportedly from the parties responsible.  CEO Dido Harding admits that she does not know if the e-mail is genuine, but it has been passed on to police and will form part of the investigation into the perpetrators.

“It is hard for me to give you very much detail, but yes, we have been contacted by, I don’t know whether it is an individual or a group, purporting to be the hacker,” Harding told the BBC. When asked if the ransomers wanted paying, she responded, “It is a live criminal investigation […] All I can say is that I had personally received a contact from someone purporting – as I say I don’t know whether they are or are not – to be the hacker looking for money.”

“I’m very sorry for all the frustration, worry and concern this will inevitably be causing all of our customers,” Harding added.

Adrian Culley, former Scotland Yard detective turned Cyber security consultant, told the Today programme on BBC Radio 4 that a Russian Islamist group had taken responsibility for the attack.

In a statement, TalkTalk admitted that not all of the user data it stores had been encrypted, and could include:

  • Names and addresses
  • Dates of birth
  • Email addresses
  • Telephone numbers
  • TalkTalk account information
  • Credit card and bank details

Are you a TalkTalk customer? Are you concerned about your details failing into the wrong hands? And are you considering changing your ISP in the wake of this hack?

Image courtesy of TalkTalk

Android Ransomware Gets Cruel – Requires Factory Reset

We’ve all been told about viruses, be it at school or by our children, we all know that they are nasty little pieces of code that can do some nasty things to our PC’s. Even fewer people have heard about ransomware, though, a form of virus (or rather malware) that seeks to give the creator a little more of a benefit than just chaos and anarchy. Ransomware is built so that those infected are asked to pay for the device to normally return or decrypt files so that users can gain access to their systems. In this day and age though this can be disastrous as we often live with our devices providing reminders and memories that cannot be retrieved if lost, even more so if they appear on your smartphone.

Dubbed Android/Lockerpin.A, the latest in a long line of malware that targets the devices you hold and cherish in your everyday use. The app works by overlaying a screen, similar to the ones you get when you update your phone, over the permissions screen, meaning when you click yes what you are actually doing is giving the phone administrator rights. It then goes and changes your lock screen pin and asks for a payment of $500 (approximately £325). If you choose not to pay the only way to remove the software, thanks to its administrator rights, is to do a factory reset.

While only a small time danger due to its distribution in third party apps on the App store for android, the problem with software like this is it often gathers speed and momentum even sometimes managing to infect itself onto other devices through legitimate apps.

Thank you Ars Technica for the information and the image. 

Windows 10 Ransomware Discovered

Well this didn’t take long! A new form of ransomware has been discovered which if downloaded, will automatically encrypt your files before demanding a fee to unlock them. The distributors of this malicious code are attempting to impersonate Microsoft by “offering” users a free upgrade via email. This scam takes full advantage of the Windows 10 download process, which asks consumers to virtually wait in a metaphorical line for the upgrade.

So how does it work?

The distribution works by sending an email to consumers offering them a free Windows 10 upgrade. A sample of this type of email is below, firstly, the “from” address on the email is spoofed, (update<at>microsoft.com). This is not actually from Microsoft but from an IP address in Thailand. The attackers are also using a similar colour scheme to that of Microsoft with the aim of luring consumers into associating this email as genuine.

The next red flag is courtesy of the letter format which does not parse properly. This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email. Another suspicious but sneaky technique is the mail virus scanner which indicates the email is fine, it links to an open source mail scanner, but this is designed to trick users.

What is the Payload of the virus?

If this email is taken as a genuine correspondent from Microsoft, you will be asked to download a zip file which contains an executable file. Once run, the below screenshot will pop up. The payload is CTB-Locker, a ransomware variant and is currently being delivered to users at a high rate, whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware. The functionality is similar to this kind of ransomware with a few extra features which include, the use of elliptical curve encryption which provides the same public/private key encryption but it’s a different type of algorithm with lower overheads.

Another feature for this locker includes using hard-coded IP addresses on non-standard ports to establish communication. There is also a significant amount of data being exchanged between systems, which are largely uncharacteristic for ransomware. An analysis of network traffic reveals that there were ~100 network streams to various IP addresses.  The most common ports being utilized are 9001, 443, 1443, and 666.

So how do I protect myself from this threat?

Be very careful with emails of this nature, look at the details and if unsure, research it, this is a powerful weapon at staying current and educated on the nature of these threats. Always question a “Free Upgrade” which is sent to your inbox, never open or install executable or any other file without checking the authenticity of the email and file. If in doubt, don’t open it.

These scams are becoming more sophisticated for the average user with the aim of virtually locking your files up. Always perform regular backups and use an up to date antivirus scanner as a matter of course.

Thank You to Cisco Blogs for providing us with this information

Image courtesy of digitallife

Bit Defender Admits To Being Hacked

Oh the irony never fails to amuse, an Anti Virus company who boast on keeping customers safe from online threats, have themselves falling victim to a hack. Kaspersky discovered a bot within their system and now so has Bit Defender, who have admitted to being hacked.

Bit Defenders security policy will be under heavy criticism after the hacker going by the name of DetoxRansome, claims to have access to the Bit Defender customer information which allegedly includes passwords. The hacker also claims this information has been stored in an unencrypted format by the antivirus giant.

Bit Defender have responded and stated that a “potential security issue with a server and determined a single application was targeted within a component of its public cloud offering”  The company have also responded to the amount of data which might have been leaked by stating that, “exposure of a few user accounts and passwords is very limited and it represents less than one percent of our SMB customers”

There are reports that the hacker has demanded Bit Defender pay a ransom of $15,000, or see all the information dumped online. As noted by news sources, the hacker looks as if they have dumped around 250 customers usernames and passwords onto the web. Among the names were extensions belonging to .gov, which indicates government customers might have been affected.

The Hackers version is the following “We had taken control of two BitDefender cloud servers and got all logins. Yes, they were unencrypted, I can prove it… they were using Amazon Elastic Web cloud which is notorious for SSL [a form of web encryption] problems.”

The level of severity depends on which version you believe, either Bit Defender have only comprised a reported 1% of data or the whole lot. One thing looks apparent, for the love of god, why oh why did they not encrypt sensitive information, if a company offers cloud storage then this has to be secure, or as near as.

In a corporate world as consumers you receive corporate promises, looks excellent on the outside, dig deeper and your logins might be on the open web. Only time will tell to the extent with which Bit Defender have been compromised, let’s hope this is an alarm call to change practises when storing sensitive information online, or not as the case all too often is.

Original Bit Defender logo courtesy of dev0blog

Thank You Forbes for providing us with this information

Synology NAS OS Vulnerable to CryptoLocker [updated]

The operating system run on Synology’s NAS devices, called DiskStation Manager (DSM), is reportedly vulnerable to a CryptoLocker hack. This particular version has been dubbed SynoLocker and is holding the infected NAS devices for ransom.

The nature of how the systems get infected is still unclear, but when infected, the malware encrypts parts of the data until you pay 0.6 Bitcoins (about £208 at current rate). Decryption is promised upon payment, but there is no guarantee it will happen and that you won’t be infected again.

The company believes it to be limited to devices still running non-updated versions of DSM 4.3, they are however still investigating if the vulnerability also could infect the newer version 5.0, just in case.

While a press release is being prepared, Synology gave this emergency statement:

You may have heard by now that DSM is undergoing a CryptoLocker hack called SynoLocker – as of yesterday (08/03/14). It’s a BitCoin Mining hack that encrypts portions of data, and ransoms the decryption key for .6 BitCoin ($350). So far, it looks like the matter is localized to non-updated versions of DSM 4.3, but we are actively working on, and researching the issue to see if it also effects DSM 5.0 as well.

In the interim, we are asking people to take the following precautions:
A. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router
B. Update DSM to the latest version
C. Backup your data as soon as possible
D. Synology will provide further information as soon as it is available.

If your NAS has been infected:
A. Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “synology.com” address suffix.
B. Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.
C. Contact Synology Support as soon as possible at, http://www.synology.com/en-global/support/knowledge_base

[UPDATE 16:50 GMT]

Since we originally posted this, we’ve recieved an official statement from Synology via email. The problem is more limited then first thought and only affects a few software version. As also initial suggested, those with up-to-date system can feel safe from this threat.

Synology are fully dedicated to investigating this issue and possible solutions. Based on their current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.

For NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, synology recommends they shut down their system and contact the technical support team.

  • When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
  • A process called “synosync” is running in Resource Monitor.
  • DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

  • For DSM 4.3, please install DSM 4.3-3827 or later
  • For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
  • For DSM 4.0, please install DSM 4.0-2259 or later

It is easy to update the Disk Station Manager OS by going to Control Panel and then navigating to the DSM Update. Users can also manually download and install the latest version from Synology’s Download Center. If you notice any strange behaviour or suspect your Synology NAS has been affected by the above issue, you’re also encouraged to contact Synology at security@synology.com where a dedicated team will look into each case.

Thank you TechPowerUp for providing us with this information

Image courtesy of Synology

UK’s National Crime Agency Gives Two-Weeks Notice Regarding GoZeuS and CryptoLocker

The UK National Crime Agency warns the public to take advantage of a two-week notice in order to protect themselves from two major malware roaming the internet, the GoZeuS and CryptoLocker, which are responsible for transferring cash from online accounts and holding personal data for ransom.

The NCA stated that the alert is the most largest industry and law enforcement collaborations to this date and that the FBI’s involvement in several countries has weakened the global network of infected computers, meaning that the notice and prevention ahead of the malware activity can help diminish the infection chance.

GoZeuS, also known as P2PZeuS or Gameover ZeuS, and CryptoLocker are said to target all versions of Windows operating systems, including the ones running in virtual environment, servers or embedded versions. The agency also states that the malware is responsible for transferring hundreds of millions of pounds around the world.

In the case where GoZeuS cannot transfer significant amounts of money from a personal computer, it is said that CryptoLocker is called as a back-up plan, locking the user’s personal data and holding it for ransom, currently price at 1 Bitcoin. The recent estimate of infected systems is said to be at 15,500 PCs in the UK alone.

The infection is said to occur by clicking fake links or attachments in e-mail sent by people in the contact book who have already been infected by the malware. The NCA recommends users to always keep their software up to date and check their computers for infection using antivirus software.

Thank you TheNextWeb for providing us with this information
Image courtesy of TheNextWeb

Australian Apple Devices Get Hijacked Using ‘Find My iPhone’ Feature

Apple’s Find My iPhone feature is one of the most important features of the company’s security, having the ability to find, lock and even erase and iPhone, iPad, iPod or Mac’s data in case it is stolen or lost. However, what would happen if it would somehow got ‘hijacked’? Some Apple users from Australia might have an idea on that now since their devices were hijacked by a hacker or a group of hackers.

The hacker (or group of hackers), no details confirming the number or identity has been officially confirmed, locked the devices using Apple’s own Find My iPhone feature and held them for ransom having set a PayPal account to transfer the money in order to regain access to the devices.

What is known about the individual(s) is that he/they go by the name of “Oleg Pliss”. The ransom amount varied from $50 to $100 and the instructions were quite clear, to transfer the named amount of money to the PayPal account displayed in the message. Fortunately, users who have set a passcode on their accounts were able to regain access to it quickly due to the fact that nobody can add or change a passcode on a device that already has one.

Less fortunate users however had to deal directly with Apple Support and solve their hijacking problems. The reports indicate that the incident occurred only in Australia, though there are some reports indicating similar issues in New Zealand and the UK.

The exact method of hacking has not yet been confirmed, though it is believed that it has something to do with users recycling the same passwords captured in other internet breaches.

Either way, Apple users have been recommended to change their passwords to a more unique combination or even enable the two-factor authentication and set passcodes on all of their devices.

Thank you Endgadget for providing us with this information
Image courtesy of Endgadget