Cybercrime , Fraud Management & Cybercrime , Ransomware

Synology NAS Devices Targeted by StealthWorker Botnet

Attackers’ Brute Force Attacks Could Deliver Ransomware
Synology NAS Devices Targeted by StealthWorker Botnet
Photo: Synology

Taiwan-based network-attached storage device manufacturer Synology says the StealthWorker botnet is targeting its products with brute force attacks that could lead to ransomware intrusions.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

“At present, there is no indication of the [StealthWorker] malware exploiting any software vulnerabilities,” Synology's Product Security Incident Response Team says. Instead, Synology's investigation found that the attackers were leveraging the credentials from already compromised devices and using them in brute force attacks to target a larger number of systems. Synology is warning customers that the infected devices “may carry out additional attacks on other Linux-based devices, including Synology NAS.”

The company has begun notifying potentially affected customers and is working in collaboration with CERTs to crack down on the command-and-control servers operating the malware.

In July 2019, Synology released a similar advisory, urging its users to take immediate action to protect their data from ransomware attacks. Even then, the attacks were not due to an active exploitation of system vulnerabilities, but a result of stolen admin credentials being used in brute force/dictionary attacks, the company reported.

About StealthWorker Botnet

The StealthWorker botnet was discovered by Malwarebytes in February 2019. The botnet was injected into the homepage of a Magento-based e-commerce website and used to steal login credentials and credit card details.

The botnet deploys the Golang-based payload, and upon successful infiltration it creates scheduled tasks on both Windows- and Linux-based systems to remain persistent. Apparently, the operators recently modified their techniques. Instead of dropping other payloads, StealthWorker now deploys ransomware as a second-stage malware payload, Synology says.

Other Attacks on NAS Devices

Other examples of recent ransomware attacks on NAS devices are:

Remediation Measures

“The COVID-19 pandemic forced the world’s workforce to work from home. NAS devices are today being used for collaboration and centralized storage and therefore are being exposed to the internet," says Ravi Pandey, a director at Cyber Security Works. "This has made it easy for the attackers, as sensitive information is being stored in these devices which can be held for ransom.”

Users need to be more cognizant of basic cyber hygiene when it comes to protecting NAS devices from ransomware, Pandey says. "Patch the devices regularly and have antivirus and network attack blocker protection. Make sure default settings are changed and password complexity and multifactor settings are enabled. As much as possible, avoid exposing NAS devices to the internet directly; use a VPN instead for access if required."

Manufacturers can help protect NAS devices from attacks by taking certain steps, he adds. For example:

  • The NAS devices should have a feature to enforce password complexity to help protect against brute force attacks;
  • The devices should use multifactor authentication and OPT verification;
  • Data encryption should be implemented to protect the integrity and confidentiality of data;
  • The devices should have built-in features, such as antivirus, network blocker and DDoS protection;

Synology has also described several methods to enhance the security measures of its NAS products on its Knowledge Center.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.