Alert essentials:

A bug allows attackers to gain access to NAS devices to steal personal and corporate files, plant a backdoor, or infect the systems with ransomware to prevent users from accessing their data.

Email Team

 

Detailed threat description:

Midnight Blue is a security researcher who found two critical zero days in Synology software and demoed these flaws in late October at Pwn2Own Ireland 2024. The zero-click remote code execution flaws affect DiskStation and BeeStation network-attached storage devices.

Tracked together and dubbed “RISK:STATION,” the flaws could allow remote code execution with root-level permissions on internet-exposed NAS devices.

These photo applications are installed on Synology NAS devices by default, and access does not require authentication. The zero-click vulnerability means it does not require any user interaction to trigger the exploitation, which allows attackers to exfiltrate sensitive data and deploy additional malware.

Specific details of the vulnerabilities have been withheld to allow defenders sufficient time to apply patches. While there is no evidence that the vulnerabilities have been exploited in the wild, patches were released within 48 hours due to the high risk of exploitation, and bad actors will reverse engineer these fixes.

Synology encourages users to update to the latest software version to secure systems. Devices with automatic updates enabled should have automatically received the patch. However, the vendor strongly encourages manual verification that the latest version is installed on the system. Manually download updates and apply if auto-updating the patch fails or if the organization doesn’t subscribe to auto-updating.

Mitigations:

  • Disabling the SynologyPhotos / BeePhotos component deactivates the vulnerable code
  • Disable port forwarding to the NAS
  • Block ports 5000 and 5001
  • Disabling QuickConnect also prevents the vulnerability from being exploited over the internet but would leave the device vulnerable from within the local network

Impacts on healthcare organizations:

If a storage server in a healthcare environment is hacked, it can lead to significant risks and damages affecting patient safety, privacy, and the overall integrity of healthcare operations.

When a threat actor hacks into an organizational storage server, the healthcare provider will experience HIPAA violations and disruption of patient services. In addition to the risk to patient safety, an organization will likely experience data loss, reputation damage, financial penalties, and operational delays.

To safeguard patient data and maintain secure operations, healthcare staff should lock computers when not in use, keep systems updated, and communicate only through approved, secure channels.

Participate in security training to stay alert to threats, handle data carefully to prevent leaks, and report any suspicious activity promptly. These cyber hygiene practices strengthen the organization’s cybersecurity, protecting patient data and service integrity.

 

Affected Products / Versions:

  • BeePhotos for BeeStation OS 1.0 (Upgrade to 1.0.2-10026 or above)
  • BeePhotos for BeeStation OS 1.1 (Upgrade to 1.1.0-10053 or above)
  • Synology Photos 1.6 for DSM 7.2 (Upgrade to 1.6.2-0720 or above)
  • Synology Photos 1.7 for DSM 7.2 (Upgrade to 1.7.0-0795 or above)

CVE
CVE-2024-10443

IOCs
Indicators of compromise

  • Unusual NAS activity, such as increased CPU/network usage
  • Unauthorized user accounts or installed applications
  • Unexpected modifications to files or settings on Synology NAS

 

Recommendations

Engineering recommendations:

  • Apply the latest Synology update to devices
  • Disable SynologyPhotos/BeePhotos Component if patching is delayed
  • Disable port forwarding to NAS devices (block ports 5000 and 5001)
  • Disable the QuickConnect feature to reduce external exposure
  • Allow access only through a VPN if remote access is necessary


Leadership/ Program recommendations:

To reduce long-term risks, consider enabling regular firmware checks, enhanced logging for NAS systems, and monitoring for unusual access patterns.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.


References: