Since 8/1/2021 I have seen a number of access attempts to user Admin on my Synology NAS all coming from IP addresses in Virginia using the same Microsoft ISP network…
Googling the IP addresses you find a number of others reporting it also.
Reason I’m adding this here is that NAS is only used for Plex. The NAS has blocked those IP addresses because of failed attempts.
Just wondering if other Plex users are seeing the same thing?
I’m still trying to figure out how they managed to get to the NAS login prompt since it’s not directly exposed to the internet, any insight into this would be useful.
Not possible they are used only for Plex, And only make connections through Plex services. I run both anti virus and malware checks on the servers, pc’s and network 24/7… NAS’s are locked from the internet on their own subnet. I also have a tap that traps all unrecognized IP addresses. and does an automatic route trace and other cybersecurity scans.
The purpose of the post was to see how many others have see this hacking attempt.
If I may augment here by sharing how I secure my end?
From my Plex logs, I can see the IP addresses of Plex’s servers which service my account.
I know the DDNS name, FQDN name, or discrete IP address/subnet for those I share with.
I have created a “Pass” rule in my router firewall (the pfSense) which allows only those entries to reach my server at the specified remote access port which I’ve manually set.
Now, only those addresses can access that port which is then port forwarded through the NAT to the server.
It’s a very strict / tight implementation.
You can verify it’s working because,
You set the manual port
Enable Remote access – turns green momentarily (initial test)
Watch it turn red because not all the Plex servers have been updated with the specific port.
Come back in a few minutes and look (don’t touch) the “Remote Access” page.
If you’ve done it right, it will be green (working) and remain that way.
I had the same issue a while back. It all went away when I disabled the admin account and set firewall rules on my NAS for only the IP addresses that need access outside my network.
Taipei, Taiwan—August 4, 2021—Synology PSIRT (Product Security Incident Response Team) has recently seen and received reports on an increase in brute-force attacks against Synology devices. Synology’s security researchers believe the botnet is primarily driven by a malware family called “StealthWorker.” At present, Synology PSIRT has seen no indication of the malware exploiting any software vulnerabilities.
Taiwan-based NAS maker Synology has warned customers that the StealthWorker botnet is targeting their network-attached storage devices in ongoing brute-force attacks that lead to ransomware infections.
