Taiwan-based NAS maker Synology has warned customers that the StealthWorker botnet is targeting their network-attached storage devices in continuous brute-force attacks that lead to ransomware infections.
According to Synology’s PSIRT (Product Security Incident Response Team), Synology NAS devices compromised in these attacks are subsequently used in further attempts to breach more Linux systems.
“These attacks exploit a number of already infected devices to try to guess common administrative credentials and, if successful, will access the system to install their malicious payload, which may include ransomware.” Synology said in a security advisory.
“Infected devices can carry out additional attacks on other Linux-based devices, including Synology NAS.”
The company is coordinating with several CERT organizations around the world to bring down the botnet infrastructure by shutting down all detected command and control (C2) servers.
Synology is working to notify all potentially affected customers of these ongoing attacks targeting their NAS devices.
How to defend against these attacks
The NAS manufacturer urges all system administrators and customers to change weak administrative credentials on their systems, enable account protection and auto-lock, and configure multi-factor authentication when possible.
Synology rarely issues security advisories warning of active attacks against its clients. The latest alert on ransomware infections following successful large-scale brute force attacks was published in July 2019.
The company recommended that users review the following checklist to defend their NAS devices against attacks:
- Use a complex and strong password, and Apply password security rules to all users.
- Create a new account in the administrators group and disable the default system “admin” account.
- Let Car block in Control Panel to block IP addresses with too many failed login attempts.
- to run Security advisor to make sure there is no weak password on the system.
“To ensure the security of your Synology NAS, we strongly recommend that you enable Firewall in Control Panel and only allow public ports for services when necessary, and enable two-step verification to prevent unauthorized login attempts.” added the company.
“You may also want to enable Snapshot to keep your NAS immune to encryption-based ransomware.”
Synology provides more information on how to defend your NAS device against ransomware infections here.
Brute force malware targeting Windows and Linux machines
While Synology did not share any more information about the malware being used in this campaign, the shared details align with a Golang-based brute force. discovered by Malwarebytes at the end of February 2019 and called StealthWorker.
Two years ago, StealthWorker was used to compromise e-commerce websites by exploiting vulnerabilities in Magento, phpMyAdmin, and cPanel to implement skimmers designed to exfiltrate personal and payment information.
However, as Malwarebytes pointed out at the time, the malware also has brute force capabilities that allow you to log into internet-exposed devices using locally generated passwords or previously compromised credential lists.
Starting in March 2019, StealthWorker operators switched to a brute-force-only approach to scanning the internet for vulnerable hosts with weak or default credentials.
Once deployed on a compromised machine, the malware creates scheduled tasks on both Windows and Linux to gain persistence and, as Synology has warned, deploys second-stage malware payloads, including ransomware.
While the NAS maker did not issue a security advisory, customers reported in January that they had their devices infected with the Dovecat Bitcoin cryptojacking malware. [1, 2] starting in November 2020, in a campaign that also targeted QNAP NAS devices.
A Synology spokesperson was not available for comment when contacted by BleepingComputer today for additional details on these attacks.