62,000 QNAP NAS devices infected with persistent QSnatch malware
There are approximately 62,000 malware-infested QNAP NAS (Network Attached Storage) devices located across the globe spilling all the secrets they contain to unknown cyber actors, the US CISA and the UK NCSC have warned.
Dubbed QSnatch, the sophisticated malware targets QTS, the Linux-based OS powering QNAP’s NAS devices, and is able to log passwords, scrape credentials, set up an SSH backdoor and a webshell, exfiltrate files and, most importantly, assure its persistence by preventing users from installing updates that may remove it and by preventing the QNAP Malware Remover app from running.
QSnatch and its reach
Various versions of the malware have been around for many years now. The two agencies have identified two campaigns aimed at spreading it, the last one dating back to late 2019.
Interestingly enough, they still don’t know how the malware is delivered, but it “appears to be injected into the device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it.” It’s likely that the attackers were exploiting a remotely exploitable vulnerability in the firmware, which has since been patched.
“QSnatch collects confidential information from infected devices, such as login credentials and system configuration. Due to these data breach concerns, QNAP devices that had been infected may still be vulnerable to reinfection after removing the malware,” QNAP explained after delivering security updates in November 2019.
In mid-June, the number of infected devices worldwide was 62,000, with approximately 7,600 in the US and 3,900 in the UK.
What to do if your QNAP NAS has been infected?
The agencies say that the infrastructure used by the malicious cyber actors in both campaigns is not currently active, but unpatched devices are likely to be compromised.
“The malware appears to gain persistence by preventing updates from installing on the infected QNAP device. The attacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed,” they noted.
Since it hasn’t been confirmed that a successful update removes the malware, the general advice is to run a full factory reset on the device before completing the firmware upgrade, then check whether the updates have been applied. This will “destroy” the malware, but also all the data stored on the device.
QNAP has provided additional security recommandations and detailed instructions for preventing QSnatch infections.
The agencies additionally advise organizations to block external connections when the device is intended to be used strictly for internal storage.