What is a brute force attack?
A brute force attack consists of testing all possible combinations of users and passwords, with the aim of entering a system illegitimately. Normally, NAS servers have tools to mitigate brute force attacks, for example, by limiting the number of failed passwords for a certain user, if the threshold is exceeded, that user could automatically be blocked until the administrator unlocks it. Another very common configuration is to block the source IP address that is making dozens or hundreds of attempts to enter the system with a specific username and password.
If we are talking about a botnet that is carrying out brute force attacks, this means that we will have multiple source IP addresses trying to enter our operating system, so mitigation measures would not be entirely effective in these cases, because we will block a public IP of origin or several, but the attacks will come from other IP addresses that we have not blocked.
What does Synology know about this attack?
Synology’s security incident response team has not detected any indication that the botnet is trying to exploit a security vulnerability in the operating system, therefore, in principle, we would be protected against possible vulnerabilities. What this attack is currently doing is trying to compromise the administrator credentials on the manufacturer’s NAS servers. In case of success, then a malware that could include ransomware is installed to encrypt all our files on the NAS server.
Of course, an infected device could carry out other attacks, such as brute force attacks on other Synology servers that have not been compromised so far. The Synology PSIRT team is working to get as much information as possible and trying to shut down all the C&C (command and control) servers causing this attack, while notifying clients that could be affected.
Safety recommendations to follow
The recommendations provided by Synology go through review password policy and passwords for admin users, looking for weak credentials. It is also recommended enable two-step authentication to improve the security of the administration account, and even enable the automatic blocking of the different users if the password is entered incorrectly on many occasions.
From RedesZone we also recommend the following:
- Close all the ports on your router, at least temporarily, except the ones you need yes or yes like for VPNs.
- If you need to access Synology NAS, use only one VPN with the corresponding port open.
- Do not expose the management web interface to the Internet, it could be an attack vector.
- Check all recent activity on your NAS server for abnormal behavior.
- Take a 3-2-1 backup of your data.
In RedesZone we will keep you informed about all the news that appears regarding this brute force attack that is affecting Synology servers.