Taiwan-based NAS maker Synology has warned customers that the StealthWorker botnet is targeting their network-attached storage devices in ongoing brute-force attacks that lead to ransomware infections.

These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if successful, will access the system to install its malicious payload, which may include ransomware.

The company is coordinating with multiple CERT organizations worldwide to take down the botnet’s infrastructure by shutting down all detected C2 servers.

Defending Technique

The NAS maker urges all system admins and customers to change weak administrative credentials on their systems, to enable account protection and auto block, and to set up multi-factor authentication where possible.

The company advised users to go through the following checklist to defend their NAS devices against attacks:

  • Use a complex and strong password, and Apply password strength rules to all users.
  • Create a new account in the administrator group and disable the system default “admin” account.
  • Enable Auto Block in Control Panel to block IP addresses with too many failed login attempts.
  • Run Security Advisor to make sure there is no weak password in the system.

To ensure the security of your Synology NAS,enable Firewall in Control Panel and only allow public ports for services when necessary, and enable 2-step verification to prevent unauthorized login attempts.

Brute-force malware targeting Windows and Linux machines

StealthWorker, Golang based Malware was used to compromise e-commerce websites by exploiting Magento, phpMyAdmin, and cPanel vulnerabilities to deploy skimmers designed to exfiltrate payment and personal information. It has brute force capabilities that affecting internet exposed devices.

It will start scanning the Internet for vulnerable hosts with weak or default credentials. Once deployed, the malware creates scheduled tasks on both Windows and Linux to gain persistence and, as Synology, warned deploys second-stage malware payloads, including ransomware.