The company said these attacks don’t exploit vulnerabilities in its products. Instead they “leverage a number of already infected devices to try and guess common administrative credentials” that can then be used to install malicious payloads without the owner’s knowledge.
Those brute force attacks aren’t particularly sophisticated, but they can be effective. Synology says “devices infected [by the malware] may carry out additional attacks on other Linux-based devices, including Synology NAS,” and that the malicious payloads “may include ransomware.”
Spreading ransomware makes sense for a botnet targeting NAS devices. The entire point of the product category is to make storing important files, system backups, and private information easier; odds are good that a NAS owner would be upset about losing access to that data.
BleepingComputer reports that StealthWorker was discovered in February 2019 when it was used to “compromise e-commerce websites by exploiting Magento, phpMyAdmin, and cPanel vulnerabilities to deploy skimmers designed to exfiltrate payment and personal information.”
The malware then evolved to focus on brute-force attacks like the ones described by Synology, according to the report, and it’s said to be capable of targeting Windows as well as Linux. It’s not clear if Synology identified a variant that specifically affects devices running Linux, however.
Recommended by Our Editors
Synology said it’s “working with relevant CERT organizations to find out more about and shut down known C&C (command and control) servers behind the malware” and “simultaneously notifying potentially affected customers” that their NAS devices may have been compromised.
The company also linked to a tutorial explaining how to make its NAS products more secure. Much of the advice is standard—use strong passwords, rely on multi-factor authentication, only connect over HTTPS, etc.—but there are some category-specific defenses as well.