Last Monday, SANS ISC broke the news that video surveillance camera DVRs were being exploited and used to scan for Synology devices exposed on port 5000. Norse threat analysts had been tracking this and related activity since the beginning of February, 2014, and have found that the threat actors are using multiple source systems in North America, Europe and Asian continents to execute this malicious activity.
Norse analysis also corroborates the findings from SANS ISC. In addition, this threat actor (or actors) are using multiple source systems (potentially in a botnet) targeting port 5000 and the recently announced vulnerabilities with Synology DiskStation Manager (DSM). With the Norse dark intelligence gathering capabilities, we have put together a report for download regarding the attack methodology and trends involving the source of the attacks. In sharing this information, Norse hopes to shed light into this activity for fellow Information Security and IT professionals to use in mitigating the threat to their networks and systems. Click here to download the report.
More on the Report:
- Shortly after a vulnerability in the Synology DSM was made public (reported as CVE-2013-6955 and CVE-2013-6987), this suspicious activity began.
- A Rapid7 Metasploit module was created in late January, and shortly thereafter an exploit video was posted.
- The activity targeting port 5000 appears to have started in the United States (US), Iceland (IS), France (FR) and Romania (RO).
- Motivation of this dramatic increase in suspicious activity could be the mining of alternative currencies to the well-known cryptocurrency Bitcoin.
- Cryptocurrency mining causes high resource usage that results in significant performance impact and increased electricity costs. Users may experience extremely slow access times, timeouts, or even a complete denial of service to their NAS device.
- The compromised Synology systems not only provide free processing power and memory to the attacker, but also complete access to the data stored on the system, potentially including copyrighted, sensitive or protected data.
To address this threat and associated risks, Norse threat analysts recommend that NAS devices should not be public facing; and system owners are responsible for protecting their own devices and information. Monitoring and detection, mitigations and compensating controls will help reduce the risks, but the threats facing system owners are constantly changing. With that said, the best way to ensure the confidentiality, availability and integrity of one's data, systems and networks is to leverage various tools and capabilities designed to address and reduce your risks while contributing to your organizations success.
This Week's Security News
Was there any security news this week other than about the Heartbleed bug/vulnerability? Probably, but it all pales in comparison to this super story. Here's some of the better articles we've seen on it with some added commentary.
Heartbleed - Schneier on Security
Heartbleed is a catastrophic bug in OpenSSL:
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
After Heartbleed Bug, a Race to Plug Internet Hole
Facebook, Tumblr Urge Users to Change Passwords; Canada Halts Online Tax Returns
Heartbleed: don't rush to update passwords, security experts warn
The severity of the Heartbleed bug means that rushing to change passwords could backfire.
Has the NSA Been Using the Heartbleed Bug as an Internet Peephole?
When ex-government contractor Edward Snowden exposed the NSA's widespread efforts to eavesdrop on the internet, encryption was the one thing that gave us comfort. Even Snowden touted encryption as a saving grace in the face of the spy agency's snooping. "Encryption works," the whistleblower said last June. "Properly implemented strong crypto systems are one of the few things that you can rely on."
But Snowden also warned that crypto systems aren't always properly implemented. "Unfortunately," he said, "endpoint security is so terrifically weak that NSA can frequently find ways around it."
Be sure to check back next week for our next Threat Thursday blog update!