Significant attacks from Korea and Taiwan

Currently reading
Significant attacks from Korea and Taiwan

Synology, TrueNAS
Operating system
  1. Linux
  2. Windows
Today I recorded significant attacks from South Korea & Taiwan IPs only (it is still running). Over 200 IPs/hour. I haven't experienced anything like this in a long time.

I analyzed it for a while (urllib.request by Py) and found an interesting thing:
All of them have Synology DSM, available on port 5000.
So someone has already visited them successfully.

Take care!
follow tcdump from Unifi, it is the schema of the same script source
- there were +650 attempts to penetrate my primary gateway within few hours - mainly from South Korea and Taiwan, later from EU (Denmark, NL, Spain, ...)
- all of them successfully trapped and banned
- all of them came from IP addresses they had in the operation of Synology DSM in 6.x, mix of HW series
- all of them are available at HTTP, port 5000
- all of them with SSL certificate issued by Synology (5001), wrongly implemented, because: NET::ERR_CERT_AUTHORITY_INVALID
- really not just SOHO users :oops:,
one of the NAS was operated behind SonicWALL firewall = this isn't SOHO user.
Seems to be someone has already penetrated those NASes, because it is not possible for them to get a scan to my public IP.
Do you know how they are addressing the targets (Synology DDNS domain name, QC direct domain name, WAN IP, a.n.other name)? It could be a bulk DNS 'brute-force' guess on possible domain names, or someone has left DNS zone transfer / permits slave zones enabled with no controls. Wouldn't have to scan the destination devices to get this.
but the Syno NASes relation is the interesting thing in the entire case (sources and destination)
That's what I was thinking... attack/extract centralised data (e.g. DNS or an exposed/hacked repository) then target the NASes. If many are using dynamic WAN IP then they will more likely change but if you know the DDNS name or QC ID then they will be static for much longer. A case of knowing the names and IDs then targeting the NASes using their current IP.
Based on knowledge, that almost half of running Syno NASes are insecurely exposed on the web:
based on consideration, that many of them use default settings of the NAS security setup
based on consideration, that many of them use basic routers from ISP, even part of them "the better" routers w/o knowledge of what to do
based on consideration, that people are crazy in the usage of first found docker container
it is really the perfect foundation for the dark web creatures to spread the botnets.

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

While you could ask why the UPS management interface needs to be directly accessible from the Internet...
Taipei, Taiwan—August 4, 2021—Synology PSIRT (Product Security Incident Response Team) has recently seen...

Welcome to! is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!