Synology NAS Devices Targeted by StealthWorker BotnetAttackers’ Brute Force Attacks Could Deliver Ransomware
Taiwan-based network-attached storage device manufacturer Synology says the StealthWorker botnet is targeting its products with brute force attacks that could lead to ransomware intrusions.
“At present, there is no indication of the [StealthWorker] malware exploiting any software vulnerabilities,” Synology's Product Security Incident Response Team says. Instead, Synology's investigation found that the attackers were leveraging the credentials from already compromised devices and using them in brute force attacks to target a larger number of systems. Synology is warning customers that the infected devices “may carry out additional attacks on other Linux-based devices, including Synology NAS.”
The company has begun notifying potentially affected customers and is working in collaboration with CERTs to crack down on the command-and-control servers operating the malware.
In July 2019, Synology released a similar advisory, urging its users to take immediate action to protect their data from ransomware attacks. Even then, the attacks were not due to an active exploitation of system vulnerabilities, but a result of stolen admin credentials being used in brute force/dictionary attacks, the company reported.
About StealthWorker Botnet
The StealthWorker botnet was discovered by Malwarebytes in February 2019. The botnet was injected into the homepage of a Magento-based e-commerce website and used to steal login credentials and credit card details.
The botnet deploys the Golang-based payload, and upon successful infiltration it creates scheduled tasks on both Windows- and Linux-based systems to remain persistent. Apparently, the operators recently modified their techniques. Instead of dropping other payloads, StealthWorker now deploys ransomware as a second-stage malware payload, Synology says.
Other Attacks on NAS Devices
Other examples of recent ransomware attacks on NAS devices are:
- eCh0rai - a new variant of ransomware discovered by researchers at cybersecurity company Anomali. This malware infected several QNAP network storage devices (see: Report: Ransomware Targets QNAP Storage Devices).
- QSnatch, or Derek - data-stealing malware. In July 2020, over 62,000 NAS devices were infected by this malware (see: US, UK Agencies Warn: QNAP NAS Devices Vulnerable).
“The COVID-19 pandemic forced the world’s workforce to work from home. NAS devices are today being used for collaboration and centralized storage and therefore are being exposed to the internet," says Ravi Pandey, a director at Cyber Security Works. "This has made it easy for the attackers, as sensitive information is being stored in these devices which can be held for ransom.”
Users need to be more cognizant of basic cyber hygiene when it comes to protecting NAS devices from ransomware, Pandey says. "Patch the devices regularly and have antivirus and network attack blocker protection. Make sure default settings are changed and password complexity and multifactor settings are enabled. As much as possible, avoid exposing NAS devices to the internet directly; use a VPN instead for access if required."
Manufacturers can help protect NAS devices from attacks by taking certain steps, he adds. For example:
- The NAS devices should have a feature to enforce password complexity to help protect against brute force attacks;
- The devices should use multifactor authentication and OPT verification;
- Data encryption should be implemented to protect the integrity and confidentiality of data;
- The devices should have built-in features, such as antivirus, network blocker and DDoS protection;
Synology has also described several methods to enhance the security measures of its NAS products on its Knowledge Center.