Significant attacks from Korea and Taiwan

[jeyare]

Today I recorded significant attacks from South Korea & Taiwan IPs only (it is still running). Over 200 IPs/hour. I haven't experienced anything like this in a long time.

I analyzed it for a while (urllib.request by Py) and found an interesting thing:
All of them have Synology DSM, available on port 5000.
So someone has already visited them successfully.

Take care!

 

[jeyare]

follow tcdump from Unifi, it is the schema of the same script source

 

[jeyare]

evaluation:
- there were +650 attempts to penetrate my primary gateway within few hours - mainly from South Korea and Taiwan, later from EU (Denmark, NL, Spain, ...)
- all of them successfully trapped and banned
- all of them came from IP addresses they had in the operation of Synology DSM in 6.x, mix of HW series
- all of them are available at HTTP, port 5000
- all of them with SSL certificate issued by Synology (5001), wrongly implemented, because: NET::ERR_CERT_AUTHORITY_INVALID
- really not just SOHO users ,
one of the NAS was operated behind SonicWALL firewall = this isn't SOHO user.
Seems to be someone has already penetrated those NASes, because it is not possible for them to get a scan to my public IP.

 

[fredbert]

Do you know how they are addressing the targets (Synology DDNS domain name, QC direct domain name, WAN IP, a.n.other name)? It could be a bulk DNS 'brute-force' guess on possible domain names, or someone has left DNS zone transfer / permits slave zones enabled with no controls. Wouldn't have to scan the destination devices to get this.

 

[jeyare]

WAN IPs

 

[fredbert]

So the WAN IPs have already been extracted from whatever source data they've used.

 

[jeyare]

but the Syno NASes relation is the interesting thing in the entire case (sources and destination)

 

[fredbert]

That's what I was thinking... attack/extract centralised data (e.g. DNS or an exposed/hacked repository) then target the NASes. If many are using dynamic WAN IP then they will more likely change but if you know the DDNS name or QC ID then they will be static for much longer. A case of knowing the names and IDs then targeting the NASes using their current IP.

 

[jeyare]

Based on knowledge, that almost half of running Syno NASes are insecurely exposed on the web:

Info - Security and your DSM setup

follow my short research: 45 588 Syno NASes accessible from WAN by standard HTTP (5000) port 54% of them have opened UPnP 7% of them have opened FTP and people are crazy with SMB1, look here check your IP and what “they” know about you at Shodan.io Our mission here is providing a knowledge...

www.synoforum.com

plus
based on consideration, that many of them use default settings of the NAS security setup
plus
based on consideration, that many of them use basic routers from ISP, even part of them "the better" routers w/o knowledge of what to do
plus
based on consideration, that people are crazy in the usage of first found docker container
plus
...
it is really the perfect foundation for the dark web creatures to spread the botnets.

 

[Edge]

Well put.