Synology NAS is a multi-functional Network-Attached Storage server, that serves as a file-sharing centre within an organization’s intranet. Moreover, it is specially designed for a variety of purposes, allowing users to perform the following tasks with the web-based Synology DiskStation Manager (DSM). In this guide, we shall discuss “Synology Best Practice to remediate StealthWorker Botnet attack”. Please see What Happens if You Turn Off Your Computer During an Update, and UEFI, TPM, BitLocker FAQs: Disable Sleep Mode.

On the 4th of August 2021, Synology issued a statement about an ongoing brute-force attack on NAS users. Taipei, Taiwan—August 4, 2021—Synology PSIRT (Product Security Incident Response Team) has recently seen and received reports on an increase in brute-force attacks against Synology devices.

Synology’s security researchers believe the botnet is primarily driven by a malware family called “StealthWorker.” At present, Synology PSIRT has seen no indication of the malware exploiting any software vulnerabilities.

These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if successful, will access the system to install its malicious payload, which may include ransomware. Devices infected may carry out additional attacks on other Linux based devices, including Synology NAS.

Synology PSIRT is working with relevant CERT organizations to find out more about and shut down known C&C (command and control) servers behind the malware. Synology is simultaneously notifying potentially affected customers.

They strongly advises all system administrators to examine their systems for weak administrative credentials, to enable auto block and account protection, and set up multi-step authentication where applicable.

System administrators that have found suspicious activity on their devices should reach out to Synology technical support immediately.

Enhancing Synology NAS Security

System administrators should examine their systems for weak administrative credentials, to enable auto block and account protection, and set up multi-step authentication where applicable. System administrators who have found suspicious activity on their devices should reach out to Synology technical support immediately.

How to remediate this issue: The company advised users to go through the following checklist to defend their NAS devices against attacks:

Use a complex and strong password, and Apply password strength rules to all users.
Create a new account in the administrator group and disable the system default “admin” account.
Enable Auto Block in the Control Panel to block IP addresses with too many failed login attempts.
To enhance the security of your Synology NAS devices under brute-force attack, it is crucial to take proactive measures. Start by running Security Advisor to ensure there is no weak password in the system.

Synology Best Practice

Here are some other best practices to follow to ensure your Synology DiskStation is adequately protected. For these detailed steps below, please see “DSM Security: How to Protect Synology DS923+ NAS“.

1: Disable the default Admin account.
2: Use two-factor authentification for your accounts
3: Configure your firewall to protect any exposed services best
4: Change default NAS ports. Close any ports on your router that lead to your NAS that you do not need/use. And use HTTPS access for services you have exposed.
5: Close the SSH (22) port if you have it exposed. Configure a VPN to access your NAS from outside your LAN if needed.
6: Stay updated with your apps and DSM.

Lastly, accessing your NAS from the outside is best executed using a VPN.

In case your NAS is reporting attacks from the outside, probably on port 22, the default SSH port). Make sure to close it down, or change its value to a non-default one. Kindly refer to this related troubleshooting guide: Unable to access files in Synology Disk station from Windows 10.

I hope you found this blog post on Synology Best Practice to remediate StealthWorker Botnet attack helpful. If you have any questions, please let me know in the comment session.