Security | Vulnerability Scans and Assessment

Synology NAS devices under brute-force attack: Remediate StealthWorker Botnet attack

Synology-1

Synology NAS is a multi-functional Network-Attached Storage server, serving as a file-sharing center within an organizations’s intranet. Moreover, it is specially designed for a variety of purposes, allowing users to perform the following tasks with the web-based Synology DiskStation Manager (DSM). On the 4th of August 2021, Synology issued a statement about an ongoing brute-force attack on NAS users. Taipei, Taiwan—August 4, 2021—Synology PSIRT (Product Security Incident Response Team) has recently seen and received reports on an increase in brute-force attacks against Synology devices. Synology’s security researchers believe the botnet is primarily driven by a malware family called “StealthWorker.” At present, Synology PSIRT has seen no indication of the malware exploiting any software vulnerabilities. Kindly refer to this related troubleshooting guide: Unable to access files in Synology Disk station from Windows 10.

These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if successful, will access the system to install its malicious payload, which may include ransomware. Devices infected may carry out additional attacks on other Linux based devices, including Synology NAS.

Synology PSIRT is working with relevant CERT organizations to find out more about and shut down known C&C (command and control) servers behind the malware. Synology is simultaneously notifying potentially affected customers.

Synology strongly advises all system administrators to examine their systems for weak administrative credentials, to enable auto block and account protection, and set up multi-step authentication where applicable.

System administrators that have found suspicious activity on their devices should reach out to Synology technical support immediately.

Synology strongly advises all system administrators to examine their systems for weak administrative credentials, to enable auto block and account protection, and set up multi-step authentication where applicable. System administrators that have found suspicious activity on their devices should reach out to Synology technical support immediately.

How to remediate this issue: The company advised users to go through the following checklist to defend their NAS devices against attacks:

  • Use a complex and strong password, and Apply password strength rules to all users.
  • Create a new account in the administrator group and disable the system default “admin” account.
  • Enable Auto Block in Control Panel to block IP addresses with too many failed login attempts.
  • Run Security Advisor to make sure there is no weak password in the system.

Here are some other best practices to follow to ensure your Synology DiskStation is adequately protected..
1: Disable default Admin account.
2: Use two-factor authentification for your accounts
3: Configure your firewall to best protect any exposed services
4: Change default NAS ports close any ports on your router that lead to your NAS that you do not need/use and use HTTPS access for services that you do have exposed.
5: Close SSH (22) port if you have it exposed. Configure and use VPN to access your NAS from outside your LAN if needed.
6: Stay up to date with your apps and DSM Accessing your NAS from the outside is best executed using a VPN.

In case your NAS is reporting attacks from the outside (probably on port 22, default SSH port), make sure to close it down, or change its value to a non-default one.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x