Thousands of QNAP NAS devices infected with legacy malware

Infection rates are high with roughly 4,000 devices in the UK infected with QSnatch as of June 2020

Tens of thousands of network attached storage (NAS) devices manufactured by QNAP are potentially vulnerable to malware that prevents administrators from applying essential security patches.

While the QSnatch malware, also known as ‘Derek’, is no longer active, up to 62,000 QNAP devices are exposed to potential infection from two campaigns hackers ran since 2014, with the most recent ending in 2019. 

Administrators are therefore being urged to patch their NAS devices immediately to avoid falling foul to legacy infections, according to an advisory by the National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA).

Prevalence is particularly high in the US and in Europe, with approximately 62,000 infected worldwide as of mid-June 2020. Approximately 7,600 were located in the US and approximately 3,900 in the UK alone.

“Once a device has been infected, attackers have been known to make it impossible for administrators to successfully run the needed firmware updates,” the joint advisory said. “This makes it extremely important for organisations to ensure their devices have not been previously compromised.

“Organisations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable. The usual checks to ensure that the latest updates are installed still apply. To prevent reinfection, this recommendation also applies to devices previously infected with QSnatch but from which the malware has been removed.”

Hackers behind the QSnatch malware ran an initial campaign in early 2014, which continued until mid-2017. The second started in late 2018 and was active until late 2019. The two campaigns were differentiated by the initial payload as well as the differences in capabilities. The majority of current infections, and the subject of the advisory, are as a result of the second wave of infections. 

QSnatch contains multiple functionalities, including a password logger that logs successful authentications through a fake login page, as well as a credential scraper and secure shell (SSH) backdoor that allows for arbitrary code execution. This is in addition to webshell functionality for remote access. 

Related Resource

How malware and bots steal your data

Protect your organisation with a layered defence

Download now

QSnatch also runs an exfiltration process that steals a predetermined list of files, including system configuration and log files. These are then encrypted with the cyber criminals’ public key and sent to their infrastructure by HTTPS.

All QNAP NAS devices are potentially vulnerable if they haven’t yet been updated with the latest security fixes. To prevent further infections, the NCSC and CISA advise that organisations take recommended measures in QNAP’s November 2019 advisory.

Administrators can also verify they have purchased QNAP devices from reputable sources, as well as block external connections when the device is intended to be used strictly for internal storage.

Since the QSnatch outbreak, QNAP has rolled out operating system patches, released a security advisory, published a press release, and contacted potentially affected users to urge an immediate update to their devices, a spokesperson told IT Pro.

Currently from our observations, the situation has been gradually settling down with no obvious sign of new malware variation/another outbreak,” they added. “We will continue to advocate the importance of keeping OS and apps updated in order to mitigate from known vulnerabilities.”

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Most Popular

The enemy of security is complexity

The enemy of security is complexity

9 Oct 2020
The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

5 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020