QNAP NAS Devices Targeted by QSnatch Malware for Six Years and Counting
Network Attached Storage (NAS) devices built by QNAP are vulnerable to a malware named QSnatch, according to an advisory issued by United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).
QNAP builds NAS devices that can be used as a local cloud backup for computers and phones, as well as many other applications. It uses a custom-built Linux OS, which makes the infection all the more impressive. It’s still unclear how the malware is spreading, who the operators are, and what their goals are.
QSnatch is a fairly sophisticated malware designed to steal credentials via a CGI password logger, to scrape credentials, to provide attackers with a SSH backdoor, to exfiltrate data, including system configurations and log files, and to offer web shell functionality for remote access.
Once the malware is installed, it gains persistence by changing the host file, redirecting the core domain names used by the NAS to out-of-date local versions so updates can never retrieved.
“The infection vector has not been identified, but QSnatch appears to be injected into the device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it,” states the advisory. “The attacker then uses a domain generation algorithm (DGA)—to establish a command and control (C2) channel that periodically generates multiple domain names for use in C2 communications.”
Because the malware is persistent, administrators can’t install firmware updates. This means that a full factory reset is required before upgrading the firmware. Also, all the latest updates have to be installed.
The company also advises clients to update Malware Remover to the latest version, update the Security Counselor to the latest version, change all the credentials, remove suspicious or unknown accounts, and disable all network functionality’s not used, such SSH or Telnet.
By the middle of last month, a total of 62,000 QNAP devices were infected; approximately 7,600 were in the United States, and 3,900 in the United Kingdom. The first infections started in 2014 and QSnatch is active to this day.
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data
May 24, 2022
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight
April 15, 2022
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users
April 14, 2022
Why and how to hide your IP address while traveling
April 13, 2022
How Bitdefender Can Help Restore Your Privacy in the Digital Age
April 04, 2022
How Strong is VPN Encryption?
February 28, 2022