Cybersecurity and IoT company Claroty discovered a vulnerability in WD (Western Digital) and Synology network-attached storage, known as NAS. The vulnerability was exposed at the Pwn2Own Toronto 2022, Zero Day Initiative event.
If it had fallen into the hands of malicious individuals, the vulnerability could have exposed the files of millions of users. Sounds terrible, doesn’t it?
Luckily, it didn’t get into the hands of a malicious persons, and both WD and Synology automatically released patches for the discovered vulnerabilities.
This article discusses the discovered vulnerabilities, offers a brief overview of preventive measures that users can take, and briefly explains how BDRSuite can help you back up data to both onsite and offsite locations.
A Few Words About Vulnerability
WD and Synology NAS devices can be registered via WD and Synology cloud services and accessed from over the Internet. The data remained on-site while being made available and accessed via the Internet.
WD uses a cloud service known as MyCloud OS5, and Synology uses a cloud service called QuickConnect.
According to Claroty, their initial approach involved trying to understand WD and Synology devices by seeking answers to the following questions:
- What features does the device have?
- How do users interact with the device?
- What open services does the device expose?
- What internet services does the device connect to?
- What is the trust model in place on the system?
They identified a weakness: targeting cloud-based communication channels, impersonating devices, and redirecting users to devices they controlled instead of the genuine ones. This approach allowed them to gain access to devices via MyCloud OS and Quick Connect.
As a result, the attackers could exploit additional vulnerabilities, access data, remotely execute code on devices, and even attain full control of the NAS, including the ability to change credentials, create new users, and more.
In that lab, Claroty used the WD PR4100 Edition and Synology DS920+. They also published a detailed overview of the attack in August 2023. If you want to read the details about the attack, please check A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: WD PR4100 Edition and A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition.
According to Claroty, millions of WD and Synology devices were vulnerable to this attack.
Whose fault is this, the vendor’s or the end user’s?
This is clearly a vulnerability that falls under the vendor’s responsibility, not the end user’s. Thanks to Claroty and the quick response from both WD and Synology, they have released patches and, starting from March 2023, banned affected devices from connecting to the cloud if they are not patched.
After patch was released, it is the end user’s responsibility to update and patch the storage devices. Having devices updated and fully patched is one of the most important preventive measures. You can read it more in the section What actions can an IT Admin take?
Potential Consequences
Imagine if data fell into the hands of malicious individuals or groups. What could happen?
If that had happened, attackers could read, sell, or expose the data publicly. Such exposure could jeopardize organizations’ projects and plans, potentially leading them to consider switching to another storage vendor. Consequently, WD and Synology could lose customers.
Additionally, since this vulnerability gave the attacker the right to run code, they could encrypt your data using ransomware, putting you in a very precarious position. In general, when you get infected by ransomware, you’ll find a ransom note from the attacker, providing instructions on how to make a payment in Bitcoin to decrypt your data. If you don’t pay, your data could be exposed or destroyed.
A preventive measure to secure your data is to create and store copies in different locations, with one being offsite, for example cloud. This is where BDRSuite, a powerful backup solution, comes into play. You can read more about it in next sections.
What actions can an IT Admin take?
In this case, the vulnerability was found in the device itself, and not in the user’s configuration. If you didn’t have storage devices registered to MyCloud OS5 and Synology, you wouldn’t be affected by this vulnerability. So, before registering your NAS devices on the network, ask yourself if you really need to do so.
If you were aware of this vulnerability, the only action you could take would be to deregister your devices from MyCloud OS and Synology. However, this is only possible if you were aware of this vulnerability. Since it is a zero-day vulnerability, you couldn’t have been aware of it.
For the sake of sharing some of the practices that, in general, can help you strengthen the security of your devices, let me share just five of them.
Firstly, you should ensure that your storage devices, regardless of the vendor, are always updated and fully patched with the latest security fixes. Keeping them updated mitigates the risk of hacking attacks.
Many storage devices were hacked due to weak credentials being used. To enhance security, enforce password complexity and implement multi-factor authentication
Disable any unused services and ports. For instance, if you don’t use FTP, consider removing it. Any open ports or services that you don’t use might become potential attack points.
Stay informed about security news by subscribing to vendor newsletters and reading blog posts. Additionally, check various security portals. We also recommend subscribing to our blog, where we address cybersecurity topics related to backup.
And don’t forget to encrypt and backup your data.
How BDRSuite Can Help You
While BDRSuite can’t help you patch your WD or Synology, smart usage of BDRSuite can prevent you from ending up in a situation where you have only a single data copy stored on vulnerable devices.
BDRSuite is a backup solution developed by Vembu Technologies. It includes all powerful backup features you can imagine, and it helps you back up your data on onsite locations, such as WD, Synology, or other storage vendors, as well as offsite locations, cloud.
Creating an offsite copy is the process of establishing disaster recovery at a remote location. You can store your data on a local machine at a remote site, or you can store it in the cloud, including private, public, hybrid, or the BDRSuite cloud. Yes, you heard it right – if you don’t have your own cloud, we provide you with ours.
There are several key features included in the offsite copy, including:
- Instant VM Boot: This feature allows you to recover your virtual machine instantly without any downtime
- Where It Left Off: This smart feature can resume offsite backups from where they left off during the last schedule. In the next run, BDRSuite doesn’t upload the entire file but continues from where it left off
- Secure Data Transfer and Storage: BDRSuite uses AES-256 encryption to transfer and secure your data
- WAN Acceleration: This feature helps optimize data transfer over your Wide Area Network (WAN)
- Bandwidth Throttling: It allows you to control bandwidth consumption and set bandwidth limits
Cloud backup
Cloud backup with BDRSuite ensures that your data is safe from on-premises storage issues, such as hardware failures, theft, natural disasters, and more. Cloud backup is also more scalable than on-premises solutions and can easily expand as your data increases.
All you need is an internet connection and integration of BDRSuite with one of your chosen public cloud providers. BDRSuite supports Amazon S3, Microsoft Azure blob, Google Cloud and S3 compatible object storage such as Wasabi, and MinIO.
S3 compatible storage is built using the Amazon S3 API. So, any application which understands the S3 API will be able to plug and play with it.
Practically, this means that if you are backing up your virtual Windows machine, you would back it up on-premises and create an additional copy in the cloud. If you’d like to learn more about other cloud-supported options, you can find further information here Cloud Backup Software.
You can also read more on our blog
Conclusion
Claroty discovered vulnerabilities in WD and Synology storage devices by emulating them and impersonating them to gain full remote access to these devices. This issue was on the vendor’s side, and fortunately, the vulnerability didn’t fall into the hands of malicious individuals. Both WD and Synology have released patches for their devices.
Now, from the perspective of users like us, there are several actions we can take. First and foremost, we should stay informed about any discovered exploits. Additionally, we must ensure that our devices are fully patched, use strong credentials, encrypt our data, disable all unused services and ports, and keep ourselves informed about security news related to our storage devices.
Remember, your data requires proper backup. We strongly recommend BDRSuite for this purpose, as it can help you perform backups not only on on-premise devices like WD, but also in the cloud. This way, you ensure that even if an attacker encrypts your data on your Synology or NAS, you still have a copy in the cloud.
BDRSuite supports different cloud object storage repository including Amazon S3, Microsoft Azure blog, Google cloud and other S3 compatible storage such as Wasabi, MinIO.
Give it a chance. Try BDRSuite.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.