QNAP NAS Devices Infected With QSnatch
A joint warning has recently been issued by cybersecurity authorities in the US and the UK regarding a malware threat infecting the network-attached storage (NAS) appliances of the Taiwan-based company QNAP.
Registered last October in the form of a high degree infection in West Europe and North America, the so called QSnatch (or Derek) threat is a data theft malware that is confirmed to have infected about 62,000 computers.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Center (NCSC) have informed in a published advisory that all QNAP NAS devices that have not been updated to the latest security fixes are potentially vulnerable to QSnatch. They also have warned that as soon as a device has been compromised with this malware, the attackers can prevent administrators from running firmware updates
The methods through which QSnatch infects devices is still not clear. In their advisory, CISA and NCSC informed that the first attack has possibly began in 2014 and has lasted until mid of 2017. In the recent months, the QSnatch attacks have intensified and have targeted about 7,600 devices in the United States and around 3,900 devices in the United Kingdom.
According to the German Computer Emergency Response Team (CERT-Bund), by Octopber 2019, more than 7,000 NAS devices have been targeted with the malware in Germany alone.
The advisory reveals that the second wave of attacks entails inserting the threat during the stage of infection and utilizing a domain generation algorithm (DGA) to immediately set up a C2 channel. This command-and-control channel (C2) allows remote communication with the infected hosts and data exfiltration. The good news is that the infrastructure that the malicious players have used in both waves of attacks are not currently active.
The agencies explain that the two attacking campaigns of QSnatch distinguish from each other by the initial payload that is used, as well as the capabilities of the malware.
The latest QSnatch version has a number of malicious features including a CGI password logger with a fake admin login screen for password capture, a credential scraper, a backdoor with SSH capabilities to execute arbitrary code and a remote Web Shell functionality.
The way the malware gains persistence is through preventing updates on the infected QNAP device. This is done through redirecting core NAS domain names to local outdated versions that cannot be installed.
CISA and NCSC are encouraging organizations to verify that their devices have not been infected, and if so, to do a factory reset before upgrading the firmware. It is also recommended to closely follow the QNAP security advisory that provides some list of measures that may prevent the infection.
As part of the QSnatch further mitigation, CISA and NCSC have suggested to check that you have purchased QNAP devices from reputable sources, as well as to block external connections if the device is strictly intended for internal storage.