close
close
darbo

The Zero-Click flaw exposes potentially millions of popular storage devices to attack

Posted on by Nargang
The Zero-Click flaw exposes potentially millions of popular storage devices to attack

The researchers also said that the photo app, which helps users organize photos, provides easy access whether customers connect their NAS directly to the Internet themselves or through Synology’s QuickConnect service, which allows users to access their NAS remotely from anywhere. And once attackers find a cloud-connected Synology NAS, they can easily locate others thanks to the way the systems are registered and assigned IDs.

“There are a lot of these devices that are connected to a private cloud through the QuickConnect service, and they’re also exploitable, so even if you don’t expose them directly to the Internet, you can exploit (the devices) through this service, and these are devices in the millions,” says Wetzels.

The researchers were able to identify cloud-connected Synology NAS owned by police departments in the United States and France, as well as a large number of law firms based in the US, Canada and France, as well as freight and tanker operators of oil from Australia and South Korea. They even found some owned by maintenance contractors from South Korea, Italy and Canada who work on power grids and in the pharmaceutical and chemical industries.

“These are firms that store corporate data … management documents, engineering documents and, in the case of law firms, maybe case files,” notes Wetzels.

Researchers say ransomware and data theft aren’t the only problem with these devices — attackers could also turn infected systems into a botnet to serve and hide other hacking operations, such as a massive botnet that China’s Volt Typhoon hackers they built from infected home and office routers to hide their spying operations.

Synology did not respond to a request for comment, but the company’s website posted two security notices related to the issue on October 25, calling the vulnerability “critical”. The notices, which confirmed that the vulnerability was discovered as part of Pwn2Own contest, indicates that the company has released patches for the vulnerability. However, Synology’s NAS devices do not have auto-update capability, and it’s unclear how many customers know about the patch and have applied it. With the release of the patch, it is now easier for attackers to discover the vulnerability in the patch and design an exploit for the target devices.

“It’s not trivial to find (the vulnerability) on your own, independently,” Meijer tells WIRED, “but it’s pretty easy to figure it out and connect the dots when the patch is actually released and you reverse engineer engineering.”