IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Thousands of QNAP NAS devices infected with legacy malware

Infection rates are high with roughly 4,000 devices in the UK infected with QSnatch as of June 2020

Tens of thousands of network attached storage (NAS) devices manufactured by QNAP are potentially vulnerable to malware that prevents administrators from applying essential security patches.

While the QSnatch malware, also known as ‘Derek’, is no longer active, up to 62,000 QNAP devices are exposed to potential infection from two campaigns hackers ran since 2014, with the most recent ending in 2019. 

Administrators are therefore being urged to patch their NAS devices immediately to avoid falling foul to legacy infections, according to an advisory by the National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA).

Prevalence is particularly high in the US and in Europe, with approximately 62,000 infected worldwide as of mid-June 2020. Approximately 7,600 were located in the US and approximately 3,900 in the UK alone.

“Once a device has been infected, attackers have been known to make it impossible for administrators to successfully run the needed firmware updates,” the joint advisory said. “This makes it extremely important for organisations to ensure their devices have not been previously compromised.

“Organisations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable. The usual checks to ensure that the latest updates are installed still apply. To prevent reinfection, this recommendation also applies to devices previously infected with QSnatch but from which the malware has been removed.”

Hackers behind the QSnatch malware ran an initial campaign in early 2014, which continued until mid-2017. The second started in late 2018 and was active until late 2019. The two campaigns were differentiated by the initial payload as well as the differences in capabilities. The majority of current infections, and the subject of the advisory, are as a result of the second wave of infections. 

QSnatch contains multiple functionalities, including a password logger that logs successful authentications through a fake login page, as well as a credential scraper and secure shell (SSH) backdoor that allows for arbitrary code execution. This is in addition to webshell functionality for remote access. 

Related Resource

How malware and bots steal your data

Protect your organisation with a layered defence

Download now

QSnatch also runs an exfiltration process that steals a predetermined list of files, including system configuration and log files. These are then encrypted with the cyber criminals’ public key and sent to their infrastructure by HTTPS.

All QNAP NAS devices are potentially vulnerable if they haven’t yet been updated with the latest security fixes. To prevent further infections, the NCSC and CISA advise that organisations take recommended measures in QNAP’s November 2019 advisory.

Administrators can also verify they have purchased QNAP devices from reputable sources, as well as block external connections when the device is intended to be used strictly for internal storage.

Since the QSnatch outbreak, QNAP has rolled out operating system patches, released a security advisory, published a press release, and contacted potentially affected users to urge an immediate update to their devices, a spokesperson told IT Pro.

“Currently from our observations, the situation has been gradually settling down with no obvious sign of new malware variation/another outbreak,” they added. “We will continue to advocate the importance of keeping OS and apps updated in order to mitigate from known vulnerabilities.”

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022