NAS (network-attached storage) maker Synology has informed customers in a security advisory on August 4th that the StealthWorker botnet is targeting NAS devices in brute-force attacks that lead to ransomware infections.
NAS devices compromised in these attacks are used to try and guess common administrative credentials to install a malicious payload, which may include ransomware. These compromised devices may then later be used to breach other Linux based devices, including Synology NAS.
Synology PSIRT (Product Security Incident Response Team) is working with CERT organizations to shut down known command and control (C2) servers behind the malware and notify potentially affected customers.
Synology encourages all system admins and customers to change weak administrative credentials on their system, enable account protection and auto block, and set up multi-factor authentication whenever possible. It’s also recommended that customers enable Snapshot to backup data and make sure the backups are current and working. Other safeguards to protect devices include configuring your firewall to protected exposed services, changing default NAS ports, close any ports that are not needed, and close SSH (22) port if it is exposed.