A widely used device and application that serves millions of individuals and businesses globally for document storage has been found to have a zero-click vulnerability, as unveiled by a team of researchers from the Netherlands.
The identified flaw, termed zero-click, does not require any action from the user to activate the infection. It affects a photo application that comes preinstalled on certain network-attached storage (NAS) devices from the Taiwanese company Synology. This vulnerability could enable cyberattackers to infiltrate these devices, allowing them to steal personal and corporate documentation, install a backdoor, or deploy ransomware, thereby locking users out of their data.
The SynologyPhotos application package is automatically installed and activated on Synology’s BeeStation storage devices, but it is also commonly utilized by users of its DiskStation systems, which provide expandable storage options. In recent years, several ransomware collectives have specifically targeted NAS devices from Synology and other manufacturers, with attacks dating back to at least 2019. Earlier this year, users utilizing Synology’s DiskStation system reported instances of ransomware attacks.
Rick de Jager, a security expert from Midnight Blue in the Netherlands, uncovered this vulnerability in just two hours during the Pwn2Own hacking contest in Ireland. Along with his colleagues Carlo Meijer, Wouter Bokslag, and Jos Wetzels, he scanned internet-connected devices and found that hundreds of thousands of Synology NAS devices are online and susceptible to this vulnerability. They warn that millions more devices may also be at risk and exposed to the attack.
Last week, the Pwn2Own organizers, in collaboration with researchers, informed Synology about a significant vulnerability.
Network-attached storage systems are prime targets for ransomware operators as they contain massive amounts of data. Many users connect these systems directly to the internet or utilize Synology’s cloud service for online backups. According to researchers from WIRED, while these systems can be configured with a gateway that requires sign-in credentials, the portion of the photo application containing the zero-click vulnerability does not need authentication. This allows attackers to exploit the flaw over the internet without needing to circumvent a gateway, granting them root access to deploy and run malicious code on the device.
The researchers pointed out that the photo application, which aids users in organizing their photos, offers straightforward access whether users connect their NAS device to the internet directly or via Synology’s QuickConnect service, which lets users access their NAS remotely from any location. Once attackers identify one cloud-connected Synology NAS, they can easily discover others since the systems are registered and assigned IDs in a specific manner.
“There are many of these devices linked to a private cloud via the QuickConnect service, making them vulnerable as well. So even if you don’t expose it directly to the internet, you can exploit these devices through this service, affecting millions of devices,” explains Wetzels.
The researchers managed to pinpoint cloud-connected Synology NAS devices operated by police departments in the United States and France. They also identified numerous law firms based in the US, Canada, and France, as well as freight and oil transportation companies in Australia and South Korea. Surprisingly, they discovered devices owned by maintenance contractors in South Korea, Italy, and Canada, who are involved in managing power grids along with the pharmaceutical and chemical sectors.
“These are organizations that store corporate data… management documents, engineering files, and in the case of law firms, potentially case files,” Wetzels highlights.
The researchers warn that ransomware and data theft are not the only risks posed by these devices. Attackers could convert compromised systems into a botnet, which could facilitate and hide other hacking activities, similar to a large botnet that Volt Typhoon hackers from China developed using infected home and office routers to obscure their espionage actions.
Although Synology did not respond to a media inquiry, the company’s website published two security advisories regarding the issue on October 25, labeling the vulnerability as “critical.” These advisories, which acknowledged that the vulnerability was found during the Pwn2Own contest, indicated that patches had been released to address the flaw. However, Synology’s NAS devices lack an automatic update feature, leaving uncertainty about how many users are aware of the patch and have implemented it. With the patch now available, it also provides attackers with an easier path to understand the vulnerability and devise an exploit targeting the devices.
“It’s not trivial to discover [the vulnerability] independently,” Meijer explains to WIRED, “but once the patch is released, it becomes relatively straightforward to analyze and piece together the information by reverse-engineering the patch.”