[REQUEST] Synology and potential hacking

[Romaniac]

Hello,

I would appreciate some info/help from anyone that knows security and/or synology well. This is a series of events that happened to an acquaintance. I am trying to eliminate variables, patch major security holes. Passwords, simple obvious things, etc. have been changed. Hard drive on laptop has been replaced.

Scenario:
User has a laptop at home. They do small biz Quickbooks, invoicing, email, banking, etc. They keep it to little or no surfing. No crazy sites or anything (user is a lady).

Recently, she was given access to an office Synology NAS via QuickConnect for very seldom access. Standard, restricted non-admin account. No access to DSM panel. She needed to go in and download a file or two here and there. She may have logged on once or twice since access given.
No SSL was set-up at that point. Brute-force auto lockout and IP ban appears to have been in place. SMB1 is disabled, I think, but I'll have to double check. No warnings countered on DSM.
Synology NAS is connected to a Cysco router (older) which is connected to comcast modem/router.
Initially, VPN was set-up for access, but her laptop was apparently having issues with it, even though other PCs on same home network connected OK. Credentials for VPN/access are username and passwords.

Long story short, some of her accounts appear to have been compromised (she was also getting hundreds of 'weird' emails, and phone calls from other countries, perhaps as a distraction...?); as this was happening, apparently there was a log-in to the bank account that wasn't her, and some money was caught moving (luckily, to same bank, so it got frozen). I think her comcast email may also have been compromised, which is one of her main email addresses, though am not sure if that was email used for bank account. But it looks like passwords may have been recorded.
Her synology login did not contain email or similar password used in any other accounts (She didn't create the password).

Would her access to synology have any part in this...? These events happened about a week or so after that access was setup.
I can see how if the same passwords may have been used would lead to an issue, but that wasn't the case.


I will add that I ended up with the old hard drive from laptop. Kaspersky Rescue Disk found a trojan (Win32 . injection . akadd). However, that was about it. I have not yet scanned it with anything else, but is this a factor?


Thanks for reading and helping!

 

[timeshifter]

What would it take to log in to her bank? In all the banking sites I’ve used just an email and password is not enough these days. I’d lean toward some kind of infection on her PC.

You mentioned old hard drive. Did you remove it and reinstall every on new drive?

 

[coffee]

At this point it sounds like it could be anything really. What about the logs on the Synology? What do they show. I would download those logs off their and start going thru them.

Would have to guess at this point really on what you provided --> She probably had a keylogger on her computer.

 

[Markverhyden]

Appear? Either they are or aren't. At this point it's impossible to tell. Way too many questions to ask and get answers. But first I'd work at breaking things down.

Email - get a hold of the originals and look at the headers and content. I regularly get calls, etc from customers - "My email's been hacked!" Just one this AM. Purportedly from the business owner to a lieutenant "Are you at your desk "Joe"? Let me know. Sent from my iPhone" Of course the from field was from the owner but we know that means nothing. Explained to him that is a common vector/behavior for financial fraud. Make sure and check the sent folder as well. Whose the email provider?

Phone calls? I get spam, hangups, Microsoft will stop your computer, etc daily.

Could it have come from the Synology? Doubtful. Only via files downloaded. Synology runs Linux and I'm sure she is M$. Cross platform stuff is incredibly complex.

Could have been a keyboard logger but those are very rare. Where does she keep her password and stuff? Has anyone been there, like some service person?

 

[nerd2u]

How does one draw a link between a NAS and a bank account being hacked?

It could be anything from a bad cheque to some sort of fraud may have nothing to do with a computer at all.

Sent from my SM-G870W using Tapatalk

 

[Your PCMD]

No crazy sites or anything (user is a lady).

And that means what in this day and age? Nothing.. absolutely nothing. Trust me, I have "lady" clients that are all prim and proper but my God on their computers they have a huge collection of un-proper material.

Anyway, you did not ask yourself an important question. Who set up her account and password?