Over 62,000 Storage Devices Infected by QSnatch Data-Stealing Malware
Photo: QNAP Systems Inc.
U.S. and U.K. cybersecurity agencies issued a joint warning this week that over 62,000 QNAP network-attached storage devices worldwide have been infected with data-stealing malware.
While the agencies have not determined how the malware initially infected these storage devices, once it was installed, it embedded in the firmware, where it could take over a device and prevent security updates, the alert notes.
Some 7,600 devices in the U.S. and 3,900 in the UK have been infected with the QSnatch malware, the agencies note. The rest of the infected devices are scattered throughout Western and Eastern Europe as well as parts of Asia.
CISA and NCSC are urging users to apply security updates and patches provided by QNAP.
“All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes,” the alert states. “The malware, documented in open-source reports, has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.”
Organizations that are still running a vulnerable version of the firmware must run a full factory reset on the device prior to completing the upgrade to ensure the device is not left vulnerable to the malware, the joint alert notes.
The QSnatch malware – also known as Derek – was distributed in two separate waves. The first of these appeared in 2014 and continued through 2017, according to the joint statement. The second campaign, which started in 2018 and continued through at least the end of 2019, is the focus on the joint alert.
Each strain is somewhat distinct and contains separate payloads.
And while the malicious infrastructure of the latest campaign appears dormant, CISA and NCSC warn that infected devices are still subject to attack. That’s because the malware operators use a domain-generation algorithm to help establish a command-and-control server, which can send a request to an infected NAS device and reactivate the malicious code, according to the alert.
“The malware appears to gain persistence by preventing updates from installing on the infected QNAP device,” the alert states. “The attacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed.”
Once installed, QSnatch has the ability to exfiltrate data, scrape users’ credentials, install a CGI password logger that installs a fake login page to steal administrative passwords, use a web shell for remote access and create an SSH backdoor that enables the operators to run arbitrary code, according to the joint alert.
Because QNAP’s NAS devices are used in many enterprises, contain sensitive data and can allow hackers to gain greater access to the network, they are tempting targets for hackers.
In July 2019, a new ransomware strain called eCh0raix targeted certain QNAP devices by exploiting vulnerabilities in the gear and bypassing weak credentials using brute-force techniques, according to the security firm Anomali (see: Report: Ransomware Targets QNAP Storage Devices).
In February 2019, QNAP issued a security alert noting an unknown strain of malware was disabling software updates within its devices, leaving them vulnerable to further attacks. The alert did not specify if this was a reference to QSnatch or another malware strain.