Researchers have reported that a photo application designed to assist users in organizing photos provides straightforward access for customers who connect their Network Attached Storage (NAS) devices directly to the internet or via Synology’s QuickConnect service. This service allows users to access their NAS remotely from any location. Once attackers discover a cloud-connected Synology NAS, they can easily locate others due to the registration and ID assignment methods of the systems.
According to Wetzels, numerous devices are linked to a private cloud through the QuickConnect service, making them exploitable. This means that even if the devices aren’t directly exposed to the internet, they can be compromised through this service, which affects millions of devices.
The researchers successfully identified cloud-connected Synology NAS devices owned by police departments in the United States and France. In addition, several law firms in the US, Canada, and France, as well as freight and oil tank operators in Australia and South Korea, were found to own such devices. Maintenance contractors in South Korea, Italy, and Canada, which work on power grids and in the pharmaceutical and chemical industries, also have these devices.
Wetzels pointed out that these firms store sensitive corporate data, including management and engineering documents, and potentially case files in the case of law firms.
The researchers noted that apart from concerns about ransomware and data theft, attackers could also transform infected systems into a botnet. This could be used to support and conceal other hacking operations, akin to a significant botnet constructed by Volt Typhoon hackers from China, which involved infected home and office routers.
Although Synology did not respond to a request for comment, the company’s website published two security advisories regarding the issue on October 25, labeling the vulnerability as “critical.” These advisories, which confirmed that the vulnerability was found as part of the Pwn2Own contest, indicated that the company had released patches to address the vulnerability. However, Synology’s NAS devices lack automatic update capabilities, and it is unclear how many customers are aware of the patch and have implemented it. With the patch now available, it could enable attackers to more easily decipher the vulnerability and craft an exploit to target the devices.
Meijer informed WIRED that independently identifying the vulnerability is not straightforward but reverse-engineering the patch makes it relatively easy to discern and connect the dots.