close
close

Zero-Click vulnerability potentially leaves millions of popular storage devices vulnerable to attack

Posted on by L. Dreeye
Zero-Click vulnerability potentially leaves millions of popular storage devices vulnerable to attack

The researchers also said that the photo app, which helps users organize photos, provides easy access whether customers connect their NAS device directly to the Internet or through Synology’s QuickConnect service, which allows users to remotely access their NAS from anywhere. And once attackers find one cloud-connected Synology NAS, they can easily find others thanks to the way systems are registered and assigned IDs.

“Many of these devices are connected to the private cloud through the QuickConnect service, and they can also be used for hacking, so even if you don’t provide Internet access directly, you can use (the devices) through that service. service, and this is about millions of devices,” says Wetzels.

The researchers were able to identify cloud-connected Synology NAS servers belonging to police departments in the US and France, as well as a large number of law firms based in the US, Canada and France, as well as cargo and oil tank operators in Australia and France. South Korea. They even found facilities owned by maintenance contractors in South Korea, Italy and Canada who work in the electrical grid and pharmaceutical and chemical industries.

“These are firms that store corporate data… management documents, technical documentation and, in the case of law firms, perhaps case files,” Wetzels notes.

Researchers say ransomware and data theft aren’t the only problem with these devices: Attackers can also turn infected systems into a botnet to serve and hide other hacking operations, such as the massive botnet that Volt Typhoon hackers in China created from an infected Houses. and office routers to hide their spying operations.

Synology did not respond to a request for comment, but on October 25, two security advisories related to the issue were published on the company’s website, calling the vulnerability “critical.” Reports confirming that the vulnerability was discovered as part of the Pwn2Own competition indicate that the company has released patches for the vulnerability. However, Synology NAS devices do not have automatic update capabilities, and it is unclear how many customers are aware of the fix and have applied it. With the release of the patch, it became easier for attackers to identify the vulnerability in the patch and develop an exploit for target devices.

“It’s not easy to find (the vulnerability) on your own, independently,” Meyer tells WIRED, “but it’s pretty easy to figure out and connect the dots once the patch is actually released and you reverse engineer it.”