A StealthWorker botnet is carrying out brute-force attacks on Synology NAS devices, according to the company’s Incident Response Team. Infected devices could be exposed to a variety of malicious payloads, including ransomware. But because these brute-force attacks rely on weak security credentials, it’s up to Synology NAS users to defend their devices—here’s how to make sure your NAS unit is safe.
Just to be crystal clear, Synology has not been hacked. This StealthWorker botnet simply forces its way into accounts by guessing their passwords. Once your account is broken into, the botnet dumps a malicious payload on your NAS unit.
Infected units may join the botnet to attack other devices or suffer from malware. Because the botnet is targeting NAS units, which often contain valuable data, ransomware is a real threat here.
Thankfully, there are several steps you can take to secure your account. Here are four actions that Synology suggested during a similar attack in 2019, plus a few suggestions from our staff:
- Use a complex and strong password, and Apply password strength rules to all users.
- Create a new account in administrator group and disable the system default “admin” account.
- Enable Auto Block in Control Panel to block IP addresses with too many failed login attempts.
- Run Security Advisor to make sure there is no weak password in the system.
- Enable Firewall in the Control Panel.
- Enable 2-step authentication to keep out bots even if they discover your password.
- Enable Snapshot to keep your NAS immune to encryption-based ransomware.
- Consider storing important files in more than one location, not just your NAS unit.
You should also check out Synology’s Knowledge Center, which provides several methods for securing your account.
Synology says that it’s working with CERT organizations to take down all control centers for the botnet. The company will notify potentially impacted users, though you should reach out to Synology tech support if you find that your NAS unit is acting strange.