In a recent security investigation, researchers uncovered vulnerabilities in Synology NAS devices that could expose sensitive data stored on various cloud-connected systems. The findings reveal that users of Synology’s photo application can access their data easily, whether by directly connecting their Network Attached Storage (NAS) device to the internet or using Synology’s QuickConnect service. This service allows for remote access to NAS from any location. However, this accessibility poses risks; once an attacker compromises one cloud-connected Synology NAS, they can quickly locate and target others due to the systematic way these devices are registered and assigned identification codes.
According to the researchers, the risk is significant as many devices utilize QuickConnect, which can be exploited even if those devices are not directly exposed to the internet. Millions of these devices could be vulnerable, raising concerns about the security of data held by a range of organizations. The study identified cloud-connected Synology NAS devices linked to police departments in the United States and France, along with a variety of law firms located in the US, Canada, and France. The investigation also highlighted systems owned by freight and oil operators in Australia and South Korea, and maintenance contractors managing critical infrastructure in South Korea, Italy, and Canada.
These organizations typically store essential corporate documents, including management and engineering files, as well as case files associated with legal practices. The implications of these vulnerabilities extend beyond simple data theft; in a more severe scenario, attackers could hijack infected NAS devices to form a botnet, facilitating additional cybercriminal operations. This technique mirrors tactics employed by certain hacking groups, including those like Volt Typhoon, who have previously built massive botnets from compromised home and office routers.
While there has been no response from Synology regarding these findings, the company issued critical security advisories on its website in late October. These advisories confirmed that the vulnerabilities were discovered during the annual Pwn2Own hacking contest and indicated that patches have been developed. Notably, Synology’s NAS devices lack an automatic update feature, leaving many users unaware of the patches available and the necessity for manual application. The release of these patches also presents a new risk; attackers could reverse-engineer them to identify the vulnerabilities and formulate targeted exploits.
Expert insight indicates that while discovering the vulnerability independently may be challenging, the release of a patch significantly lowers the effort required for attackers to connect the dots and launch targeted attacks. This scenario underscores the critical importance for business owners and stakeholders in protecting their systems from potential breaches. As the cybersecurity landscape evolves, the necessity for vigilance against initial access, persistence, privilege escalation, and other tactics outlined in the MITRE ATT&CK framework becomes increasingly apparent.
In summary, the vulnerabilities found within Synology NAS devices highlight a pressing need for businesses to prioritize cybersecurity measures, ensuring that their data remains uncompromised against the backdrop of evolving threats. The responsibility lies with organizations to not only implement available updates promptly but also to cultivate a culture of security awareness that anticipates and mitigates emerging risks.
