Synology issued a warning that ransomware is attacking NAS devices

Synology, a manufacturer of additional network-attached storage, issued a security warning a few days ago, stating that malicious software is attempting to brute force attack and infect through weak passwords.

If the infection is successful, the malware will deploy ransomware on the Synology DSM system, encrypt all the files of the user, and ransom the user financially.

The Synology product security incident response team stated that these infected devices will also serve as nodes, continuing to launch attacks on more devices and harm more users.

But these are not security issues with Synology products. The main reason is that the user uses the default administrator account and weak password and the server is exposed on the public network.

The following are the suggestions made by our team based on daily use experience and Synology’s official security warning. If you use Synology brand network equipment, you can refer to it.

1. Do not use the system default admin account: the admin account is built-in in DSM but not enabled, please use a custom name and do not use admin

2. Turn on multi-factor authentication for the account: Synology system already supports multi-factor authentication, that is, two-step verification. If your device is exposed on the public network, you must turn on the verification.

3. Do not expose to the public network if it is not necessary: ​​Unless you need to use it on the public network, please close the Synology QC connection or DDNS type dynamic analysis to avoid exposure to the public network.

4. Create strong passwords for accounts: This ransomware mainly uses weak passwords for blasting. If users use high-strength passwords, they will usually not be successfully blasted.

5. The firewall enables login error interception: For example, the IP address is automatically locked if there are more than a few login errors within a few minutes, which can effectively prevent all kinds of blasting scripts.

6. Set the Synology DSM system to automatically update, so that you can receive security updates released by Synology in time, and avoid system intrusion due to vulnerabilities.

Synology did not disclose the details of the ransomware, but the name can be found on the Internet, this is a bot for Windows and Linux.

The hacker group behind it will collect common device default accounts and passwords on the Internet and various weak passwords to form a dictionary, and then conduct detections and attacks on the entire network.

This is not a particularly technical attack method, but after all, there are enough users around the world, so there must be many users who used weak passwords and were a successful brute force attack.

Analysis shows that after the ransomware is infected, a scheduled task will be created to gain persistence, and the infected device will then be used as a node to continue to detect and attack other devices.

In addition, there is news that the large-scale attack launched against QNAP NAS last year was also this malware, and the attack methods were also conducted by brute force attack.