How Cloud-Connected NAS Devices Became a Global Botnet

TLDR: Researchers at Claryoty Team82 demonstrated a critical vulnerability chain in Western Digital and Synology NAS devices that allows unauthenticated remote code execution. By exploiting insecure cloud-based device authentication and improper input validation, an attacker can impersonate any device globally and execute arbitrary commands. This research underscores the massive risk of IoT cloud backends that prioritize seamless user experience over rigorous device-level identity verification.

Network-attached storage devices are the ultimate "set it and forget it" hardware. They sit in home offices and small business server rooms, quietly syncing files and hosting media. Because they are designed for non-technical users, vendors have spent the last decade building elaborate cloud-based connectivity platforms to bypass NAT and firewall restrictions. This convenience comes at a steep price. When you prioritize remote access over secure authentication, you turn a private storage device into a globally reachable target.

The Anatomy of the Impersonation Attack

The core of this research centers on how these devices authenticate to their respective cloud backends. In the case of Western Digital, the cloud platform relies on a Globally Unique Identifier (GUID) to associate a user account with a specific physical device. The researchers discovered that this GUID is not a secret. It is embedded directly into the device's TLS certificate, which is publicly accessible via Certificate Transparency logs.

Once an attacker has the GUID, the barrier to entry is remarkably low. By querying the cloud API with a target's GUID, the attacker can effectively impersonate that device. The cloud backend, failing to perform robust mutual authentication, accepts the attacker's connection as legitimate. This is a classic case of Identification and Authentication Failures where the system trusts the identifier provided by the client without verifying the underlying hardware identity.

From Impersonation to Remote Code Execution

Gaining access to the cloud tunnel is only the first step. To achieve full remote code execution, the researchers chained this authentication bypass with an arbitrary file write vulnerability. They identified an undocumented API endpoint that allowed them to create new mount points. By manipulating the path parameter of this API, they could map a share to any directory on the device, including sensitive system paths.

The final payload involved writing a malicious script to /tmp/upload_fw_success. The device's do_reboot binary, which handles system restarts, reads this file and executes its contents via a system command without sanitizing the input. This is a textbook example of Command Injection.

# The vulnerable code snippet from the do_reboot binary
pfVar5 = popen("cat /tmp/upload_fw_success | awk '{print $3}'", "r");
fread(fileContent, 0x3f, 1, pfVars);
sprintf(char *)pCommand, "logwdfw_gza_fw_install -corid '%s' --status rebooting", fileContent);
system((char *)pCommand);

The impact is absolute. An attacker can trigger a reboot, execute their payload as root, and gain persistent control over the NAS. The researchers successfully demonstrated this chain, resulting in CVE-2022-36331 and CVE-2022-36327.

Scaling the Attack via Passive DNS

What makes this research particularly dangerous is the scale. The researchers didn't just target one device; they targeted thousands. By using Passive DNS services, they could scrape historical DNS records to find the specific subdomains associated with these NAS devices.

For a pentester, this changes the threat model entirely. You are no longer limited to attacking a single, known target. You can perform reconnaissance on an entire vendor's user base, identify active devices, and systematically test for these vulnerabilities. The reliance on public-facing cloud infrastructure means that the "perimeter" is effectively non-existent.

Defensive Realities

For blue teams and security engineers, the lesson is clear: cloud connectivity is a massive, often unmanaged attack surface. If your organization uses these devices, the first step is to disable cloud-based remote access features entirely. If remote access is a business requirement, use a standard, hardened VPN solution rather than the vendor's proprietary "quick connect" service.

Furthermore, monitor for unusual outbound traffic patterns from your NAS devices. These devices should not be initiating connections to arbitrary cloud proxies unless explicitly configured to do so. If you see your storage hardware reaching out to unknown endpoints, treat it as a potential compromise.

The industry has spent years pushing for "ease of use" in IoT, but we have reached a point where that convenience is actively undermining the security of our data. When a device's entire security model rests on a publicly discoverable GUID, it is not a question of if it will be compromised, but when. As researchers, we need to keep digging into these proprietary cloud protocols. They are the new frontier for high-impact, low-effort exploitation, and they are currently wide open.