01/20/2022 | News release | Distributed by Public on 01/20/2022 05:38
Threats to the internet of things (IoT) continue to evolve as users and businesses grow increasingly reliant on these tools for constant connectivity, access to information and data, and workflow continuity. Cybercriminals have taken notice of this dependence and now regularly update their known tools and routines to include network-attached storage (NAS) devices to their list of targets, knowing full well that users rely on these devices for storing and backing up files in both modern homes and businesses. More importantly, cybercriminals are aware that these tools hold valuable information and have only minimal security measures.
REvil
While the disappearance of REvil (aka Sodinokibi) in mid-2021 is filled with uncertainty, security researchers havefounda Linux version of the REvil ransomware that they have dubbed as Revix. After analyzing the samples, we found four different versions of the malware, all of which rely on an embedded JavaScript Observed Notation (JSON)-based configuration to set parameters before encrypting files.
While some parameters are ignored by the ransomware, these are most important ones that we observed:
While the differences between the versions are minor, the group advertised the capability of encrypting NAS devices as early as May 2021 in underground forums. Given the vulnerability of NAS devices that are directly connected to the internet, we can expect a new wave of ransomware attacks affecting these gadgets in the future.
StealthWorker
In 2021, security researchersfoundbrute-force attacks launched from the StealthWorker botnet on Synology NAS devices. We found multiple samples for this botnet and confirmed that newer versions are capable of brute-forcing and compromising servers running on several products and systems such as WooCommerce and WordPress. This botnet is also designed to generally attack any web server using HTTP authentication and other NAS devices like QNAP. Valid credentials found during compromise are then uploaded to the command-and-control (C&C) server, usually at port 5028/TCP.
How to protect NAS devices
Without proper security implemented in NAS devices, users and businesses will continue to be targeted since these tools can be used as entry points for information theft, malware infection, and the disruption of operations, among others. Here are some best practices to protect your systems against threats that leverage the gaps in your NAS devices:
To find more technical details, threats, insights, and recommendations in protecting your NAS device, download our research"Backing Your Backup: Defending NAS Devices Against Evolving Threats."