About Synology NAS Servers & Brute Force Attacks – My Story of How I’ve Almost Got Hacked
Morten Kjaersgaard – “My Synology Server Was the Target of Brute Force Attack Attempts.” A Few Words on Brute Force Attack Prevention.
It’s certainly no joke that literally anyone can become the target of a cyberattack, both at home and at work, and the recent brute force attack alert that I had on my home Synology NAS server a few days ago proves it. When I noticed the alert I naturally tightened the brute force rules, but this didn’t make cybercriminals give up. On the contrary, they kept hammering on with fierce attempts (with no success, though) once they noticed the port was open.
I hope all of you stay as safe as possible from brute force attacks, ransomware, and all the other cyber threats that might make you lose precious time, money, and data, so I’ll share some info about the risks of being connected to a Synology server and what I think would be the best prevention techniques for a brute force attack.
What Is Synology NAS?
If you don’t know this yet, Synology is a company that produces a file-sharing center using a multi-purpose Network-Attached Storage (NAS) server. NAS servers can be used both for home and work networks, for a variety of tasks like:
- storing and sharing files on the Internet;
- backing up files on server and computer;
- managing files and personal media;
- recording videos;
- listening to music etc.
Synology Security Issues
Given the importance of the operations and files that can be managed with a NAS server, they often turn into the targets of professional or wannabe cybercriminals trying to get access and wreak havoc with your data.
In today’s cyberscape, the most pervasive synology-related cyber threat is the brute force attack with ransomware as its ultimate goal, but, so far, other weaknesses related to the myds.me system of the Synology server and its Dynamic DNS domains were mentioned in their Community too:
- issues with Synology Internet-facing servers;
- random deletion of hostnames;
- update / authentication errors.
When it comes to ransomware, this cyberthreat has had a rampant evolution in the last years and now it’s practically the wildest cyber threat that sweeps through the entire world, as the increasing number of victims (mostly from the private sector, with losses of millions of dollars) and the latest cybermarket movements show.
Just like I’ve been saying since the previous summer, brute force attacks have become the most worrying cyber-attack trend and the main method through which ransomware spreads, outrunning even spam and phishing emails.
The MO of a brute force attack is rudimentary, but highly efficient – it implies playing the guessing game to find out the target device’s username & password and actually uses cryptographic functions to derive device auth credentials. To get around auth processes, attackers might use scripted apps and bots that test common or even legitimate credentials from data breaches lists that can be found – yes, you’ve guessed right – on the dark web.
Apart from obtaining credentials for ransomware deployment, brute force attackers hunt for personal information, try to impersonate users, spread phishing links or other false materials, or redirect domains to fraudulent websites.
In case this wasn’t clear enough: an attacker successfully brute-forcing their way into your systems basically means that they get access to everything you have access to and can practically do whatever they want from there – they will have total technical control.
Are There Any Tell-Tale Signs of a Brute Force Attack?
If you’re wondering how to recognize if you have been the target of a brute force attack, riddle me this:
- did you notice unsuccessful login attempts from an IP address?
- have you observed multiple unique IP addresses trying to log in to a certain account?
- did you pick up on heavy bandwidth use in a single session?
If all answers are yes, I’m sorry to say that some cybercriminals have probably been up to their trick with your endpoint and you’re now dealing with a brute force attack.
As it happened in my case, brute force attackers might intensify their efforts when they identify an open communication port. The attackers used around 400 unique IP addresses (e.g. [220.127.116.11]; [18.104.22.168]; [22.214.171.124]; [126.96.36.199]; [188.8.131.52]) and initiated their mission on the 28th of July 2021, at 17:42. The last log-in failed attempt was registered the following day, at 09:05.
Moreover, on the 4th of August, the Synology team published a press release where they mentioned that they have “received reports on an increase in brute-force attacks against Synology devices.”
How to Prevent Brute Force Attacks on Synology NAS
Although brute force attacks can’t be completely blocked for Synology devices, you can use the built-in firewall there to work from, and see the guide below:
- tightening brute force attack rules;
- activating 2-factor authentication;
- locking an account after consecutive failed logins with each retry lengthening the wait, and then unlocking it as the administrator;
- using long and difficult passwords – and changing them periodically;
- avoiding using the admin/administrator accounts;
- changing default management ports.
You can find more ideas in the Synology security guide.
For desktop endpoints, you can, of course, use a powerful antivirus solution with a firewall integrated and take a few other preventive measures.
Heimdal™’s Next-gen Endpoint Antivirus’s traditional firewall features like port and application management go hand in hand with unique features that ensure brute force and ransomware prevention and device isolation.
From the unified, intuitive Heimdal™ dashboard you can even choose to automatically block the RDP port on brute force detection. You also have the option to isolate an endpoint – in this case, all its external connections will be rerouted through the Heimdal™ Security systems.
What Can You Use for Alerts?
For desktops, servers, and Synology boxes, a SIEM software will often be very useful in detecting brute force attack attempts.
For desktops and server management, our excellent EPDR tool, for example, will provide advanced investigation, threat hunting, and swift response to known and unknown malware, also allowing you to stay on top of some of most the powerful cybermarket trends of 2021: unification of endpoint management (replacing up to 7 vendors) and the increased focus on endpoint protection, detection and response.
The route you take often depends on how integrated you want to go and the budget you have.
My story with the brute force attack alert on my home Synology NAS server is another way to prove how crucial it is to keep your devices and data safe – there’s no rest for the wicked (cybercriminals) and they surely won’t be taking any break any time soon.
As previously stated, brute force attacks with ransomware as its final goal will continue to be a significant – if not the biggest – issue in today’s threatscape, so learning how to keep your servers and endpoints safe both at home and at work is, in my opinion, the key for a cyber-safer world.
As for us, Heimdal™ will continue to play its part in this fight against cybercriminals, leading the market with revolutionary solutions and swift, strategic actions according to the most pressing needs of our clients, but we need you to keep your eyes open and learn as much as possible about possible threats and their prevention methods too.
Although challenging, our mission gets more rewarding with each threat that we help you avoid, with each amount of money that we help you save, with each hour that we help you invest in the tasks that really move you forward.