The researchers also said that the photos app, which helps users organize photos, provided easy access whether customers connected their NAS device directly to the Internet or through Synology’s QuickConnect service, which allows users to access your NAS remotely from anywhere. And once attackers find a cloud-connected Synology NAS, they can easily locate others due to the way the systems register and assign IDs.
“There are a lot of these devices that are connected to a private cloud through the QuickConnect service, and those are also exploitable, so even if you don’t expose them directly to the Internet, you can exploit (the devices) through this. It’s about millions of devices,” says Wetzels.
Researchers were able to identify cloud-connected Synology NAS owned by police departments in the United States and France, as well as a large number of law firms based in the United States, Canada and France, and cargo and oil tank operators in Australia and South Korea. They even found some owned by maintenance contractors in South Korea, Italy and Canada who work on power grids and in the pharmaceutical and chemical industries.
“These are companies that store corporate data… management documents, engineering documents and, in the case of law firms, perhaps files,” Wetzels says.
Researchers say ransomware and data theft aren’t the only concern with these devices: Attackers could also turn infected systems into a botnet to service and hide other hacking operations, such as a Huge botnet that hackers Volt Typhoon from China They had built infected routers from homes and offices to hide their spying operations.
Synology did not respond to a request for comment, but the company’s website posted two security notices related to the issue on October 25, calling the vulnerability “critical.” The notices, which confirmed that the vulnerability was discovered as part of the Pwn2Own contest, indicate that the company released patches for the vulnerability. However, Synology NAS devices do not have automatic update capabilities and it is unclear how many customers are aware of the patch and have applied it. With the patch released, it also makes it easier for attackers to discover the vulnerability in the patch and design an exploit to attack the devices.
“It’s not trivial to find (the vulnerability) on your own, independently,” Meijer tells WIRED, “but it’s pretty easy to figure out and connect the dots when the patch is actually released and reverse engineered.”