Synology NAS devices attacked with StealthWorker botnet – password security as protection

Threat Alert

With the help of a botnet (a network of several computer programs that automatically and independently perform certain tasks), Synology NAS devices are currently under attack. Attempts are being made to guess passwords and install a malicious program. Password security is crucial in this attack.

What happened?

On August 9, security researchers from Taiwan-based Synology warned customers that the so-called “StealthWorker” botnet has targeted their data storage products – these are also known as network-attached storage (NAS) devices. A brute force attack is used to try to gain access and encrypt the targeted devices.

What are the risks to my business from the attack on Synology products?

The current attack is a brute force attack. These are usually based on guessing credentials. The attackers usually use a list of known, common passwords. Software tries all the passwords in this list. If it is exhausted or one of the attempts was successful, the network moves on to another account. Synology security researchers have confirmed that they do not believe that the ongoing attack is related to an existing vulnerability in their products, but that it is a random attack. The attack is allegedly perpetrated by the “StealthWorker” botnet. “StealthWorker” first appeared in 2019 when it targeted CMS e-commerce companies. Synology issued a statement saying that they are working with multiple CERTs from around the world to take down the botnet.

What can I do?

If you own a Synology NAS device, follow the steps below:

  1. Check your password security. Check your credentials and make sure that your password is not used in other accounts, is unique and sufficiently complex. You may also consider using a password manager.
  2. Enable automatic locking and account protection. You can find step-by-step instructions here.
  3. If possible, add 2-factor authentication to your account. This solution will inform you as soon as someone unexpectedly tries to log in, and will check your authenticity via another way, e.g. via SMS.
  4. Synology has issued additional protection instructions, which are available here.

If you have difficulties finding the right solution for your device and you are a Perseus customer, please contact us.