NAS manufacturer Synology warns that there is a sharp increase in the number of brute force attacks on Synology devices using the StealthWorker botnet. If the botnet gains access to a nas, it is added to the botnet.
According to Synology’s Incident Response team, which released a message about the threat of the botnet, StealthWorker has targeted Synology NAS devices, but is not known to use any software vulnerabilities. The botnet uses brute force attacks to guess common admin passwords in order to enter a device. If successful, it installs a malicious payload on a NAS, which may also contain ransomware.
Infected devices are then used to carry out more attacks on other Linux devices. Synology is still looking for a way to disable the botnet by finding the servers behind the malware.
Synology warns administrators to be extra careful when using easy-to-guess passwords, turn on autoblock and account protection, and turn on two-step verification when possible.
The StealthWorker botnet has been active for some time; it was discovered by Malwarebytes in February 2019. At the time, the botnet mainly targeted online stores by attacking content management systems, notably Magento, phpMyAdmin and cPanel. At that time, Malwarebytes discovered that some of the malware was specifically made for brute force attacks and there was bot communication, suggesting the potential for a botnet. A month later, FortiGuard Labs discovered that StealthWorker switched to performing brute force attacks on Linux and Windows devices.