Synology warns of malware infecting nas devices

Nas manufacturer Synology warns that there has been a sharp increase in brute force attacks against Synology devices using the StealthWorker botnet. If the botnet gains access to a nas, it will be added to the botnet.

According to Synology’s Incident Response Team, that sent a message Concerning the threat of the botnet, StealthWorker has targeted Synology NAS devices, but is not using any known software vulnerabilities. The botnet uses brute force attacks to guess common admin passwords to gain access to a device. If successful, it installs a malicious payload on a nas, which may also contain ransomware.

Synology DS220+

Infected devices are then used to launch more attacks against other Linux devices. Synology is still looking for a way to disable the botnet by finding the servers behind the malware.

Synology warns administrators to be extra careful about using easy-to-guess passwords, to enable autoblock and account protection, and to enable two-step verification if possible.

The botnet StealthWorker has been active for some time; it became Discovered by Malwarebytes in February 2019. At that time, the botnet mainly targeted web stores by attacking content management systems, especially Magento, phpMyAdmin and cPanel. Malwarebytes then discovered that some of the malware was specially made for brute force attacks and that there was bot communication, which suggested the possibilities for a botnet. A month later, FortiGuard Labs discovered that StealthWorker switched to brute force attacks on Linux and Windows devices.