NAS targeted by brute force ransomware attacks

Network Attached Storage (NAS) company Synology has issued an urgent warning for owners to check their box’s security settings after it emerged cybercriminals are targeting numerous NAS vendors with a new wave of ransomware.

At first it was thought that recent attacks could be exploiting an unknown software vulnerability in Synology’s products, but according to the company it has since been established that the attackers’ method is a much simpler but still effective brute-forcing of admin credentials.

Synology’s Manager of Security Incident Response Team, Ken Lee, wrote:

We believe this is an organised attack. After an intensive investigation into this matter, we found that the attacker used botnet addresses to hide the real source IP.

Spotted on 19 July 2019, the campaign involves trying lots of commonly used passwords on internet-connected NAS boxes. The attackers hope that eventually they’ll hit on a password that allows them the access necessary to encrypt the data on it.

The first symptom of this will be a ransom note in a readme file – typically asking for thousands of dollars-worth of bitcoins – to decrypt the data.

When you strip away the techniques used to hide the source IP, this isn’t a complex attack. That’s good news because it means that it’s also not difficult to defend against as long as owners check and enable specific security settings (see below).

Unfortunately, that means it’s also not hard to compromise a weakly defended NAS, which has led to a number of users being locked out of large volumes of data.

Warning: this campaign doesn’t only target Synology NAS boxes – the same techniques are being used to target other vendors’ products too.

In other recent incidents affecting another NAS vendor, QNAP, earlier in July, the ransomware involved was eCh0raix (probably the culprit in the latest Synology campaign) which you can read more about on the site of the security company that first noticed it.

What to do

Synology lists a number of basic defences, starting with the need to set a long and complex admin password (brute-force attacks succeed against shorter, simpler ones) before doing the same for everyone else who accesses data on the device.

The simplest way to make sure this has been done on a Synology NAS is to enable the ‘force users to change passwords after the administrator resets the password’ setting in the management console.

A second setting is the ‘apply password strength rules’ after deciding what this should mean (for example, forcing users to include mixed cases, special characters, numerals while excluding names and user descriptions).

Synology also recommends:

• Creating a new account in the administrator group and disabling the “admin” account.
• Enabling Auto Block in Control Panel to block IP addresses with too many failed login attempts.
• Running Security Advisor to make sure there are no weak passwords in the system.
• Enabling the Firewall in Control Panel while allowing publicly facing ports only when necessary.
• Finally, enable two-step verification (2SV).
• Based on Synology’s general advice, cloud multi-versioning should allow defenders to roll back to the same or previous versions of the same files. Or, better still, make regular offline backups.

Critically, on the topic of remote access, ensure it isn’t enabled via RDP when it shouldn’t be – or at all.

Naked Security has documented numerous attacks targeting RDP in recent times and provided advice on securing this protocol across a range of services, including NASs.

Remember, the NAS ransomware attacks discussed here depend on weakly secured remote access to succeed. Close that door and you’ve blocked their way in.

We urge you to read the SophosLabs 2019 Threat Report, in which Sophos researchers analyze the state of play in cybercrime today, including a section on ransomware.

Finally, visit sophos.com to read more about anti-ransomware technologies, including Sophos Intercept X.