Check your passwords! Synology NAS devices under attack from StealthWorker

Synology PSIRT (Product Security Incident Response Team) has put out a warning that it has recently seen and received reports about an increase in brute-force attacks against Synology devices. PSIRT suspects the botnet commonly known as StealthWorker is responsible for this increase in activity.

Synology

Synology specializes in data storage and most people will know it because of its Networked Attached Storage (NAS) devices. These NAS devices seem to be what the botnet is targeting. The company does not believe the botnet is exploiting vulnerabilities in its software, it’s simply going after weak or default passwords using brute force guessing.

In a brute force guessing attacks, software attempts to find a device’s password with a bit of educated guesswork (typically by using a list of known, common passwords). It tries a password, sees if it works, and if it doesn’t, tries another, and another, and another, until it either guesses a password correctly or exhausts its list and moves on.

In this case, if a password is guessed successfully, the device is infected with malware that will carry out additional attacks on other devices.

StealthWorker

We reported about Trojan.StealthWorker.GO in February of 2019 when it emerged as a brute forcer written in Golang that was discovered to be involved in a rise in attacks against e-commerce websites. Golang is a statically-typed, compiled, general-purpose programming language that we see more often in the current malware landscape. Shortly after the involvement in CMS platforms StealthWorker started to target Linux and Windows machines.

In June 2020, Akamai researchers uncovered a malware campaign spreading Golang-based malicious code that was also attributed to StealthWorker. It was found targeting Windows and Linux servers running popular web services and platforms like WordPress, Drupal, Joomla, and Magento. One significant factoid discovered back then was that cleaning the compromised system was not enough. It would be re-infected within minutes if the password stayed the same. This would indicate either a very efficient brute-force technique or, perhaps more likely, the use of a method to store and retrieve passwords that were once guessed right.

Once deployed on a compromised machine, the malware creates scheduled tasks on both Windows and Linux to gain persistence and, as Synology warned, then deploys second-stage malware payloads. Botnets can be used to spread other malware like cryptojackers and ransomware. Or your device can be used in DDoS or click-fraud campaigns. On CMS platforms the botnet can equip a compromised e-commerce website with an embedded skimmer that steals personal information and payment details when unsuspecting customers enter them into the website.

Mitigation

Synlogy says it is working with multiple CERT organizations worldwide in an attempt to locate and take down the botnet’s command and control servers.

Synology recommends that all users check their system for weak administrative credentials and change them if necessary. Synology also recommends enabling auto block and account protection. Finally, you should set up multi factor authentication (MFA) where possible.

Synology also advises users to enable Snapshot to keep their NAS safe from encryption-based ransomware. This performs a regular, off-site backup. More Synology NAS-specific security advice can be found on its site.

The company’s advice is also valid for any other Internet-facing NAS devices. Synology only reports these attacks are performed on its devices, but that might be because it is where they have a clear picture of what’s going on. It does not mean other devices are being neglected by the botnet. There is no reason for StealthWorker, or other botnets, to pass up on other manufacturer’s devices.

Stay safe, everyone!