Your NAS is not my BOT
time
06:00 ~ 06:45
site
R2
NAS (Network Attached Storage) devices are widely deployed by enterprises and end customers world-wide, and they are becoming more powerful and convenient than ever. However, their security issue might not be valued as much as their accessibility and convenience.
Our recent tracking against APT attacks came across C2 (Command & Control) servers that appears to be linked with some NAS devices: Their passive DNS records shows some subdomains of synology.me (DDNS service provided by synology) or myqnapcloud.com (DDNS service provided by QNAP). After further investigations, we discover a variety of abuse methods among different threat actors. They are:
- A NAS device was compromised and leveraged as a traffic relay server (hopping point) to hide threat actors’ real location
- A NAS device was compromised and its DDNS service was hijacked by threat actors in their attacks
In this work, we propose a novel yet simple method. It does cross validation of the passive DNS records, digital certificate history as well as service history of a specific DDNS of NAS devices. This method can effectively identify a compromised NAS device by examining its DDNS profile. We will validate our method by examining thousands of real cases and publish our experiment results. We will also have some case studies showing how APT actors abusing these compromised devices.
Charles Li
