Attackers’ Brute-Force Attacks Could Deliver Ransomware
Taiwan-based network-attached storage device manufacturer Synology says the StealthWorker botnet is targeting its products with brute-force attacks that could lead to ransomware intrusions.
“At present, there is no indication of the [Stealthworker] malware exploiting any software vulnerabilities,” Synology’s Product Security Incident Response Team says. Instead, Synology’s investigation found that the attackers were leveraging the credentials from already compromised devices and using them in brute-force attacks to target a larger number of systems. Synology is warning customers that the infected devices “may carry out additional attacks on other Linux-based devices, including Synology NAS.”
The company has begun notifying potentially affected customers and is working in collaboration with CERTs to crack down on the command-and-control servers operating the malware.
In July 2019, Synology released a similar advisory urging its users to take immediate action to protect their data from ransomware attacks. Even back then, the attacks were not due to an active exploitation of its system vulnerabilities, but a result of stolen admin credentials being used in brute-force/dictionary attacks, the company reported.
About StealthWorker Botnet
The StealthWorker botnet was discovered by Malwarebytes in February 2019. The botnet was injected into the homepage of a Magento-based e-commerce websites and used to steal login credentials and credit card details.
The botnet deploys the Golang-based payload, and upon successful infiltration, creates scheduled tasks on both Windows and Linux-based systems to remain persistent. Recently, the operators apparently have modified their techniques. Instead of dropping other payloads, it now deploys ransomware as a second-stage malware payload, Synology says.
Other Attacks on NAS Devices
Other examples of recent ransomware attacks on NAS devices are:
“The COVID-19 pandemic forced the world’s workforce to work from home. NAS devices are today being used for collaboration and centralized storage and therefore are being exposed to the internet,” says Ravi Pandey, a director at Cyber Security Works. “This has made it easy for the attackers as sensitive information is being stored in these devices which can be held for ransom.”
Users need to be more cognizant of basic cyber hygiene when it comes to protecting NAS devices from ransomware, Pandey says. “Patch the devices regularly and have antivirus and network attack blocker protection. Make sure default settings are changed and password complexity and multifactor settings are enabled. As much as possible, avoid exposing NAS devices to the internet directly; use a VPN instead for access if required.”
Manufacturers can help protect NAS devices from attacks by taking certain steps, he adds. For example:
- The NAS device should have a feature to enforce password complexity to help protect against brute-force attacks.
- The devices should use multifactor authentication and OPT verification.
- Data encryption should be implemented to protect integrity and confidentiality of data.
- The devices should have built-in features, such as antivirus, network blocker and DDoS protection.
Synology has also described several methods to enhance the security measures of its NAS products on its Knowledge Center.