Synology PSIRT (Product Security Incident Response Team) has recently received reports on an increase in brute-force attacks against Synology devices.
Synology’s security researchers believe the botnet is primarily driven by a malware family called “StealthWorker”. The advisory says that PSIRT has seen no indication of the malware exploiting any software vulnerabilities.
StealthWorker Botnet Attacks
Researchers from Akamai first spotted this malware in June 2020. Written in Golang, Stealthworker is capable of running brute force attacks against several popular web services and platforms including, cPanel / WHM, WordPress, Drupal, Joomla, OpenCart, Magento, MySQL, PostgreSQL, Brixt, SSH, and FTP.
Additionally, the malware will also search for backup files and administrator login paths. Synology says that devices infected by the malware may carry out additional attacks on other Linux-based devices, including Synology NAS, and that the malicious payloads may include ransomware.
“These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if successful, will access the system to install its malicious payload, which may include ransomware”, according to Synology.
Devices infected may carry out additional attacks on other Linux-based devices, including Synology NAS.
As a result, the company is coordinating with multiple CERT organizations worldwide to take down the botnet’s infrastructure by shutting down all detected command-and-control (C2) servers.
How To Defend Against These Attacks
To defend their NAS devices against attacks:
- Apply strong password
- Disable the default admin account
- Enable Auto Block in Control Panel to block IP addresses with too many failed login attempts.
- Run Security Advisor to make sure there is no weak password in the system.
- Stay up to date and enable notifications
Synology advises to enable Firewall in Control Panel and only allow public ports for services when necessary, and enable 2-step verification to prevent unauthorized login attempts. Therefore, the company strongly recommends all system administrators check their systems for weak administrative credentials, enable autoblock and account protection, and set up multi-step authentication where applicable.