[BreachExchange] StealthWorker botnet targets Synology NAS devices to drop ransomware

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Thu Aug 12 08:23:26 EDT 2021


https://www.cyberdefensemagazine.com/stealthworker-botnet/

Taiwan-based vendor Synology has warned customers that the StealthWorker
botnet is conducting brute-force attacks in an attempt to implant
ransomware.

Once compromised the device, threat actors employed it in a botnet used in
attacks aimed at Linux systems, including Synology NAS.

“Synology PSIRT (Product Security Incident Response Team) has recently seen
and received reports on an increase in brute-force attacks against Synology
devices. Synology’s security researchers believe the botnet is primarily
driven by a malware family called “StealthWorker.” At present, Synology
PSIRT has seen no indication of the malware exploiting any software
vulnerabilities.” reads the security advisory published by the vendor.

“These attacks leverage a number of already infected devices to try and
guess common administrative credentials, and if successful, will access the
system to install its malicious payload, which may include ransomware.”

The vendor reporting its findings with relevant CERTs and is working with
them to dismantle the C&C (command and control) infrastructure behind the
malware. Synology is also notifying affected customers.

The Taiwanese company urges its customers to enable multi-factor
authentication where available, enable auto block and account protection,
and to use string administrative credentials,

System administrators that have noticed suspicious activity on their
devices should report it to Synology technical support.

Stealthworker botnet was first spotted by Akamai researchers in June 2020,
the bot is a Golang-based malicious code that targets Windows and Linux
servers running popular web services and platforms including (i.e. cPanel /
WHM, WordPress, Drupal, Joomla, OpenCart, Magento, MySQL, PostgreSQL,
Brixt, SSH, and FTP).

Operators behind the Stealthworker malware use the infected hosts to launch
brute force attacks against other systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210812/2bc25f4f/attachment.html>


More information about the BreachExchange mailing list