UPDATE: 10/10/2022 - Reports on social media are indicating an elevated brute force attack against Synology NAS users. Be sure to read the "What should I do?" section below for some quick pointers on how to harden your box.

At the moment an attack is not officially reported by Synology, nor has it been known what potential exploit is being targeted. Stay alert and follow the steps listed below.

UPDATE: 10/10/2022 18:00 CEST - Synology support has received tickets about this attack and HQ is currently investigating. There is still no official status about it. It does seem like a bigger botnet is brute forcing a big list of Syno NAS, but that is already apparent.

UPDATE: 10/08/2021 - Looks like both Synology and QNAP NAS devices are now under attack by the eCh0raix ransomware variant. More info at Paloalto UNIT42.

Today, August 4th, 2021, Synology has issued a statement about an ongoing brute-force attack toward NAS users.

Full news report here.

Taipei, Taiwan—August 4, 2021—Synology PSIRT (Product Security Incident Response Team) has recently seen and received reports on an increase in brute-force attacks against Synology devices. Synology's security researchers believe the botnet is primarily driven by a malware family called "StealthWorker." At present, Synology PSIRT has seen no indication of the malware exploiting any software vulnerabilities.

These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if successful, will access the system to install its malicious payload, which may include ransomware. Devices infected may carry out additional attacks on other Linux based devices, including Synology NAS.

Synology PSIRT is working with relevant CERT organizations to find out more about and shut down known C&C (command and control) servers behind the malware. Synology is simultaneously notifying potentially affected customers.

Synology strongly advises all system administrators to examine their systems for weak administrative credentials, to enable auto block and account protection, and set up multi-step authentication where applicable.

System administrators that have found suspicious activity on their devices should reach out to Synology technical support immediately.

What should I do?

First things first. Follow best practices.

  1. turn off Admin account
  2. use complex long passwords for your accounts or the new Secure SignIN
  3. use two-factor authentification for your accounts
  4. use auto-block feature
  5. configure your firewall to best protect any exposed services
  6. change default NAS ports
  7. close any ports on your router that leads to your NAS that you do not need/use and use HTTPS access for services that you do have exposed
  8. close SSH (22) port if you have it exposed
  9. configure and use VPN to access your NAS from outside your LAN if needed
  10. stay up to date with your apps and DSM

Accessing your NAS from the outside is best executed using a VPN. To learn more about how to set up an incoming VPN to your NAS (and LAN), read up on it in this article.

Some 101 elements when it comes to the hardening and security of your NAS can be found in module 5 of Syno101.

In case your NAS is reporting attacks from the outside (probably on port 22, the default SSH port), make sure to close it down, or change its value to a non-default one.

Considering there is a mention of ransomware being pushed in this particular attack, be sure to have all your data backed up (either using Hyper Backup or Snapshot Replication), and make sure that the backups are current and working. In case of potential ransomware, this will be the quickest and safest way to get your data back, not to mention the cheapest.

For some general official guidance, be sure to check the official KB article here:

What can I do to enhance the security of my Synology NAS? - Synology Knowledge Center
Synology Knowledge Center provides you with answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.