Significant attacks from Korea and Taiwan

Currently reading
Significant attacks from Korea and Taiwan

jeyare

Subscriber
2,021
662
NAS
Synology, TrueNAS
Operating system
  1. Linux
  2. Windows
Today I recorded significant attacks from South Korea & Taiwan IPs only (it is still running). Over 200 IPs/hour. I haven't experienced anything like this in a long time.

I analyzed it for a while (urllib.request by Py) and found an interesting thing:
All of them have Synology DSM, available on port 5000.
So someone has already visited them successfully.

Take care!
 

jeyare

Subscriber
2,021
662
NAS
Synology, TrueNAS
Operating system
  1. Linux
  2. Windows
follow tcdump from Unifi, it is the schema of the same script source
 

jeyare

Subscriber
2,021
662
NAS
Synology, TrueNAS
Operating system
  1. Linux
  2. Windows
evaluation:
- there were +650 attempts to penetrate my primary gateway within few hours - mainly from South Korea and Taiwan, later from EU (Denmark, NL, Spain, ...)
- all of them successfully trapped and banned
- all of them came from IP addresses they had in the operation of Synology DSM in 6.x, mix of HW series
- all of them are available at HTTP, port 5000
- all of them with SSL certificate issued by Synology (5001), wrongly implemented, because: NET::ERR_CERT_AUTHORITY_INVALID
- really not just SOHO users :oops:,
one of the NAS was operated behind SonicWALL firewall = this isn't SOHO user.
Seems to be someone has already penetrated those NASes, because it is not possible for them to get a scan to my public IP.
 

fredbert

Moderator
NAS Support
Subscriber
2,979
1,178
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Do you know how they are addressing the targets (Synology DDNS domain name, QC direct domain name, WAN IP, a.n.other name)? It could be a bulk DNS 'brute-force' guess on possible domain names, or someone has left DNS zone transfer / permits slave zones enabled with no controls. Wouldn't have to scan the destination devices to get this.
 

fredbert

Moderator
NAS Support
Subscriber
2,979
1,178
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
So the WAN IPs have already been extracted from whatever source data they've used.
 

jeyare

Subscriber
2,021
662
NAS
Synology, TrueNAS
Operating system
  1. Linux
  2. Windows
but the Syno NASes relation is the interesting thing in the entire case (sources and destination)
 

fredbert

Moderator
NAS Support
Subscriber
2,979
1,178
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
That's what I was thinking... attack/extract centralised data (e.g. DNS or an exposed/hacked repository) then target the NASes. If many are using dynamic WAN IP then they will more likely change but if you know the DDNS name or QC ID then they will be static for much longer. A case of knowing the names and IDs then targeting the NASes using their current IP.
 

jeyare

Subscriber
2,021
662
NAS
Synology, TrueNAS
Operating system
  1. Linux
  2. Windows
Based on knowledge, that almost half of running Syno NASes are insecurely exposed on the web:
plus
based on consideration, that many of them use default settings of the NAS security setup
plus
based on consideration, that many of them use basic routers from ISP, even part of them "the better" routers w/o knowledge of what to do
plus
based on consideration, that people are crazy in the usage of first found docker container
plus
...
it is really the perfect foundation for the dark web creatures to spread the botnets.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Taipei, Taiwan—August 4, 2021—Synology PSIRT (Product Security Incident Response Team) has recently seen...
Replies
0
Views
424

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top