QNAP NAS Devices Targeted by QSnatch Malware for Six Years and Counting
Network Attached Storage (NAS) devices built by QNAP are vulnerable to a malware named QSnatch, according to an advisory issued by United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).
QNAP builds NAS devices that can be used as a local cloud backup for computers and phones, as well as many other applications. It uses a custom-built Linux OS, which makes the infection all the more impressive. It’s still unclear how the malware is spreading, who the operators are, and what their goals are.
QSnatch is a fairly sophisticated malware designed to steal credentials via a CGI password logger, to scrape credentials, to provide attackers with a SSH backdoor, to exfiltrate data, including system configurations and log files, and to offer web shell functionality for remote access.
Once the malware is installed, it gains persistence by changing the host file, redirecting the core domain names used by the NAS to out-of-date local versions so updates can never retrieved.
“The infection vector has not been identified, but QSnatch appears to be injected into the device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it,” states the advisory. “The attacker then uses a domain generation algorithm (DGA)—to establish a command and control (C2) channel that periodically generates multiple domain names for use in C2 communications.”
Because the malware is persistent, administrators can’t install firmware updates. This means that a full factory reset is required before upgrading the firmware. Also, all the latest updates have to be installed.
The company also advises clients to update Malware Remover to the latest version, update the Security Counselor to the latest version, change all the credentials, remove suspicious or unknown accounts, and disable all network functionality’s not used, such SSH or Telnet.
By the middle of last month, a total of 62,000 QNAP devices were infected; approximately 7,600 were in the United States, and 3,900 in the United Kingdom. The first infections started in 2014 and QSnatch is active to this day.
The Holiday Guide to Tech Support: Fixing the Family Computer
November 24, 2021
Bitdefender Celebrates 20 Years of Cybersecurity Leadership
November 04, 2021
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
October 26, 2021
What are drive-by download attacks and how do you prevent them?
October 25, 2021
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks
October 22, 2021
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals
October 20, 2021