QSnatch Data-Stealing Malware has grown up the number of infected QNAP NAS to more than 62,000 devices
A malware threat dubbed QSnatch is known to target NAS (Network-Attached Storage) devices manufactured by the Taiwan-based QNAP Systems, Inc. Malware researchers at Finland’s National Cyber Security Center (NCSC-FI) were the first to spot the activity of this new threat in the middle of October 2019.
But now the US Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint advisory about a massive ongoing campaign spreading the QSnatch data-stealing malware. QSnatch malware, first spotted in late 2019, has grown from 7,000 bots to more than 62,000, according to a joint US CISA and UK NCSC security alert.
“All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.” the two agencies said
The QSnatch malware implements multiple functionalities, such as:
- CGI password logger
This installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page.
- Credential scraper
- SSH backdoor
This allows the cyber actor to execute arbitrary code on a device.
When run, QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS.
Webshell functionality for remote access
- QSnatch QNAP
In November 2019, security experts first spotted the QSnatch malware that at the time infected thousands of QNAP NAS devices worldwide. At the time, the German Computer Emergency Response Team (CERT-Bund) reported that over 7,000 devices have been infected in Germany alone.
However, the two agencies experts managed to analyze the current version of the QSnatch malware. Experts pointed out that any QNAP NAS device that was not updated is potentially vulnerable to QSnatch malware. The experts observed that once a device has been infected, the malicious code can prevent the installation of firmware updates.
It was also found that once the attackers gain a complete hold on the target source, CISA and the NCSC say the QSnatch malware is injected into the firmware, from where it takes full control of the device and then blocks future updates to the firmware to survive on the victim NAS.
The two agencies have urged organizations to ensure their devices have not been previously compromised, and if so, run a full factory reset on the device before performing the firmware upgrade. It’s also recommended to follow QNAP’s security advisory to prevent the infection by following the steps listed here.
For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.