Synology Recently Noticed a Rise in Brute-force Attacks on NAS Devices
Cybersecurity Specialists Think the Botnet Is Operated by a Malware Family Dubbed StealthWorker.
In a security advisory, Synology Inc., the Taiwanese organization that specializes in Network-attached storage (NAS) appliances, has recently informed its clients of the StealthWorker malware which is attempting to attack their NAS devices.
Taiwan-based NAS maker Synology was founded in January 2000 and now its products are distributed worldwide and localized in several languages. The company’s headquarters are located in Taipei, Taiwan, with subsidiaries located all over the globe.
What Is StealthWorker Malware?
StealthWorker is a brute-force malware that has been formerly employed to attack e-commerce websites by exploiting flaws in the open-source e-commerce platform Magento in order to steal financial and personal information.
This type of malware is typically using bugs found in content management systems in order to gain access to its target or uses the brute-force technique which is extremely successful when it comes to weak admin passwords.
According to Synology security researchers, these continuous brute-force attacks could cause serious ransomware infection.
As per Synology’s Product Security Incident Response Team, the affected devices may perform further attacks against other open-source OS Linux-based devices.
These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if successful, will access the system to install its malicious payload, which may include ransomware.
According to the advisory, Synology PSIRT is collaborating with other CERT companies all over the world in order to cease the activity of C&C (command and control) servers behind the botnet.
The NAS maker is also actively working on informing all the potentially affected users of the continuing brute-force attacks from the StealthWorker malware.
Protect Your NAS Devices
All the users and sysadmins are strongly advised by the Taiwanese organization to:
- thoroughly investigate their systems for weak administrative credentials with Run Security Advisor;
- allow account protection and autoblock. Autoblock will block an IP address after a pre-defined number of login attempts;
- set up multi-factor authentication where suitable;
- ensure the default admin account is deactivated to advert malicious attacks.
To ensure the security of your Synology NAS, we strongly recommend you enable Firewall in Control Panel and only allow public ports for services when necessary, and enable 2-step verification to prevent unauthorized login attempts.
You may also want to enable Snapshot to keep your NAS immune to encryption-based ransomware.
At the moment, NAS maker Synology doesn’t have any evidence that the malware is exploiting any software vulnerabilities.