Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Synology NAS. Show all posts

Update Your Synology Devices Now to Avoid Serious Security Risks




Synology, a leading provider of network-attached storage (NAS) devices, has resolved critical security flaws in its products. The company is urging users to update their devices immediately to prevent potential cyberattacks that could exploit these vulnerabilities, allowing hackers to take control without user intervention.  


What Were the Security Flaws?  

The issues were found in Synology’s Photos for DMS and BeePhotos for BeeStation applications. These vulnerabilities, revealed at the Pwn2Own Ireland 2024 cybersecurity competition, could have enabled attackers to execute harmful commands remotely.  

Such vulnerabilities, known as “remote code execution” flaws, are particularly dangerous because they require no action from the user. Hackers could exploit these flaws to gain unauthorized access to sensitive data, deploy ransomware, or seize full control of the affected device.    

In response, Synology quickly developed and released patches to address these security gaps. By applying these updates, users can secure their devices and reduce the risk of cyberattacks. This proactive approach ensures that sensitive information stored on NAS devices remains protected.  


Why This is Crucial  

NAS devices, often connected to the internet, store critical data such as documents, photos, and financial information. Without regular updates, these devices can become easy targets for cybercriminals. Synology’s timely patches are essential in reducing the likelihood of ransomware attacks, data breaches, and other malicious activities.  


How the Flaws Were Discovered  

The vulnerabilities were identified during the Pwn2Own Ireland 2024 competition, an event organized by Trend Micro's Zero Day Initiative (ZDI). This competition rewards ethical hackers for uncovering weaknesses in digital devices, including NAS systems, cameras, and smart home equipment.  

At the event, researchers received over $1 million in total rewards, with $260,000 awarded for finding flaws in Synology products. Thanks to these discoveries, Synology was able to act quickly to safeguard its users.  


Steps Users Should Take  

To protect their devices, Synology advises all users to install the latest updates as soon as possible. Enabling automatic updates and periodically checking for new patches can further strengthen security.  

By addressing these issues promptly, Synology has demonstrated its commitment to user safety. However, it is equally important for users to remain vigilant and prioritize updating their devices to defend against cyber threats.  

Zero-Click Vulnerability in Popular NAS Devices Exposes Millions to Cyber Attacks

 

A widely used device and application for storing documents, trusted by millions of users and businesses globally, has been found to have a vulnerability. A team of Dutch researchers revealed that this zero-click flaw could potentially compromise many systems worldwide.

This flaw, termed "zero-click" because it requires no user interaction to trigger, affects Synology's photo application, a default program on network-attached storage (NAS) devices from the Taiwanese company. Through this vulnerability, attackers could gain unauthorized access to these devices, allowing them to steal files, plant malicious code, or install ransomware, which could lock users out of their data.

The Synology Photos app comes pre-installed on Synology’s BeeStation storage devices and is also popular among users of their DiskStation models. These NAS devices enable users to expand storage via add-on components. Since 2019, Synology and other NAS brands have frequently been targeted by ransomware groups. Recently, DiskStation users have reported specific ransomware attacks. The vulnerability was uncovered by Rick de Jager, a security researcher with Midnight Blue in the Netherlands, during the Pwn2Own hacking event in Ireland. De Jager and his team identified hundreds of thousands of vulnerable Synology NAS devices online, although they warn that the real number of at-risk devices is likely in the millions.

The researchers, alongside the Pwn2Own organizers, alerted Synology about the flaw last week.

Network-attached storage systems are attractive targets for cybercriminals due to the large volumes of data they store. Many users connect their NAS directly to the internet or utilize Synology’s cloud storage for backup. Although security credentials can be required to access the devices, this specific zero-click flaw in the photo app doesn’t require authentication. Attackers can exploit it remotely over the internet, granting them root access to execute malicious code on the device.

The photo app allows users to organize images and provides attackers easy access whether the NAS is connected directly to the internet or via Synology’s QuickConnect, which offers remote access. Once an attacker compromises one cloud-connected Synology NAS, it becomes easier to identify others, thanks to how the system registers and assigns IDs.

The researchers found several cloud-connected Synology NAS devices linked to U.S. and French police departments, as well as numerous law firms in North America and France. Other compromised devices were used by logistics and oil companies in Australia and South Korea, along with maintenance firms in South Korea, Italy, and Canada, serving industries like energy, pharmaceuticals, and chemicals.

“These organizations store a range of critical data, including management documents and sensitive case files,” Wetzels said.

Beyond ransomware, the researchers warn of other threats, such as botnets, which infected devices could join to assist in hiding broader hacking operations. The Chinese Volt Typhoon group, for example, previously used compromised home and office routers to mask espionage activities.

Synology has not responded publicly to requests for comment, but on October 25, the company issued two security advisories marking the vulnerability as “critical.” Synology confirmed the discovery was made during the Pwn2Own contest and released patches for the flaw. However, without automatic updates on NAS devices, it is unclear how many users are aware of or have implemented the patch. Releasing the patch also increases the risk that attackers could reverse-engineer it to exploit the vulnerability.

While finding the vulnerability independently is challenging, “it’s not hard to connect the dots from the patch,” Meijer explained.