Thousands of QNAP NAS devices infected with legacy malware

Infection rates are high with roughly 4,000 devices in the UK infected with QSnatch as of June 2020

Tens of thousands of network attached storage (NAS) devices manufactured by QNAP are potentially vulnerable to malware that prevents administrators from applying essential security patches.

While the QSnatch malware, also known as ‘Derek’, is no longer active, up to 62,000 QNAP devices are exposed to potential infection from two campaigns hackers ran since 2014, with the most recent ending in 2019. 

Advertisement - Article continues below

Administrators are therefore being urged to patch their NAS devices immediately to avoid falling foul to legacy infections, according to an advisory by the National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA).

Prevalence is particularly high in the US and in Europe, with approximately 62,000 infected worldwide as of mid-June 2020. Approximately 7,600 were located in the US and approximately 3,900 in the UK alone.

“Once a device has been infected, attackers have been known to make it impossible for administrators to successfully run the needed firmware updates,” the joint advisory said. “This makes it extremely important for organisations to ensure their devices have not been previously compromised.

“Organisations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable. The usual checks to ensure that the latest updates are installed still apply. To prevent reinfection, this recommendation also applies to devices previously infected with QSnatch but from which the malware has been removed.”

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Hackers behind the QSnatch malware ran an initial campaign in early 2014, which continued until mid-2017. The second started in late 2018 and was active until late 2019. The two campaigns were differentiated by the initial payload as well as the differences in capabilities. The majority of current infections, and the subject of the advisory, are as a result of the second wave of infections. 

QSnatch contains multiple functionalities, including a password logger that logs successful authentications through a fake login page, as well as a credential scraper and secure shell (SSH) backdoor that allows for arbitrary code execution. This is in addition to webshell functionality for remote access. 

Related Resource

How malware and bots steal your data

Protect your organisation with a layered defence

Download now

QSnatch also runs an exfiltration process that steals a predetermined list of files, including system configuration and log files. These are then encrypted with the cyber criminals’ public key and sent to their infrastructure by HTTPS.

All QNAP NAS devices are potentially vulnerable if they haven’t yet been updated with the latest security fixes. To prevent further infections, the NCSC and CISA advise that organisations take recommended measures in QNAP’s November 2019 advisory.

Advertisement - Article continues below

Administrators can also verify they have purchased QNAP devices from reputable sources, as well as block external connections when the device is intended to be used strictly for internal storage.

Since the QSnatch outbreak, QNAP has rolled out operating system patches, released a security advisory, published a press release, and contacted potentially affected users to urge an immediate update to their devices, a spokesperson told IT Pro.

Currently from our observations, the situation has been gradually settling down with no obvious sign of new malware variation/another outbreak,” they added. “We will continue to advocate the importance of keeping OS and apps updated in order to mitigate from known vulnerabilities.”

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020