Zero-Click Flaw Exposes Potentially Millions of Popular Storage Devices to Attack

The researchers besides said the photograph application, which helps users signifier photos, provided casual entree whether customers link their NAS instrumentality straight to the net themselves oregon done Synology’s QuickConnect service, which allows users to entree their NAS remotely from anywhere. And erstwhile attackers find 1 cloud-connected Synology NAS, they tin easy find others owed to the mode the systems get registered and assigned IDs.

“There are a batch of these devices that are connected to a backstage unreality done the QuickConnect service, and those are exploitable arsenic well, truthful adjacent if you don’t straight exposure it to the internet, you tin exploit [the devices] done this service, and that’s devices successful the bid of millions,” says Wetzels.

The researchers were capable to place cloud-connected Synology NASes owned by constabulary departments successful the United States and France, arsenic good arsenic a ample fig of instrumentality firms based successful the US, Canada, and France, and freight and lipid vessel operators successful Australia and South Korea. They adjacent recovered ones owned by attraction contractors successful South Korea, Italy, and Canada that enactment connected powerfulness grids and successful the pharmaceutical and chemic industries.

“These are firms that store firm information … absorption documents, engineering documents and, successful the lawsuit of instrumentality firms, possibly lawsuit files,” Wetzels notes.

The researchers accidental ransomware and information theft aren’t the lone interest with these devices—attackers could besides crook infected systems into a botnet to work and conceal different hacking operations, specified arsenic a massive botnet that Volt Typhoon hackers from China had built from infected location and bureau routers to conceal their espionage operations.

Synology did not respond to a petition for comment, but the company’s web tract posted 2 security advisories related to the contented connected October 25, calling the vulnerability “critical.” The advisories, which confirmed that the vulnerability was discovered arsenic portion of the Pwn2Own contest, bespeak that the institution released patches for the vulnerability. Synology’s NAS devices bash not person automatic update capability, however, and it’s not wide however galore customers cognize astir the spot and person applied it. With the spot released, it besides makes it easier for attackers to present fig retired the vulnerability from the spot and plan an exploit to people devices.

“It’s not trivial to find [the vulnerability] connected your own, independently,” Meijer tells WIRED, “but it is beauteous casual to fig retired and link the dots erstwhile the spot is really released and you reverse-engineer the patch.”