Synology, a Taiwan-based NAS maker, warned its users about the StealthWorker botnet that has been attacking its network-attached storage (NAS) devices and targeting users with its own ransomware.
Synology’s PSIRT cybersecurity team reported that the attackers used the compromised NAS devices to launch other attacks against Linux systems.
“These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if successful, will access the system to install its malicious payload, which may include ransomware,” Synology said in a security advisory. “Devices infected may carry out additional attacks on other Linux based devices, including Synology NAS.”
The company is working with various CERT organizations to take down the infrastructure of the botnet, which involves shutting down attackers’ command-and-control servers.
The company urges system admins to change their weak administrative credentials and to enable account protection and multi-factor authentication. Security advisories from Synology rarely provide warnings about active attacks against their customers. The last time they did this was in July 2019.
To prevent attacks, users were advised to implement strong and complex passwords. They should also create a new administrator account and disable the system’s default administrator account.
In addition, the company advised:
“To ensure the security of your Synology NAS, we strongly recommend you enable Firewall in Control Panel and only allow public ports for services when necessary, and enable 2-step verification to prevent unauthorized login attempts,” the company added. You may also want to enable Snapshot to keep your NAS immune to encryption-based ransomware.”
Experts think that this campaign was initiated by a hacker who used a Golang-based brute forcer discovered by Malwarebytes in February 2019 – StealthWorker. Attackers targeted e-commerce websites by exploiting Magento, PhpMyAdmin, and cPanel flaws. Two years ago, StealthWorker operators started to solely rely on the malware’s brute force capabilities.
After deployment on a compromised machine, StealthWorker creates scheduled tasks on Windows and Linux for persistence and deploys other payloads like ransomware.
