A joint security alert has been published by the cyber-security agencies from the UK and the US about a strain of malware called QSnatch which has been infecting network-attached storage (NAS) devices from Taiwanese device maker QNAP.
The two agencies, the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC), states in the alert that attacks with the QSnatch malware were traced back to 2014. But attacks increased over the last year when the number of reported infections grew from 7,000 devices in October 2019 to over 62,000 in mid-June 2020.
Of these, around 7,600 of the infected devices are located in the US, and around 3,900 in the UK.
The first campaign which began in early 2014 continued until mid-2017, and the second campaign started in late 2018 which was active till late 2019.
According to CISA and the NCSC, the two campaigns used different versions of the QSnatch malware. As per the latest alert, the new QSnatch version has an enhanced and broad set of features for the modules which has the following functions:
- CGI password logger – This installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page.
- Credential scraper
- SSH backdoor – It lets the cybercriminal to execute arbitrary code on a device.
- Exfiltration – When run, QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the attacker’s public key and sent to their infrastructure over HTTPS.
- Webshell functionality for remote access
However, the security experts do not know how the malware initially infects devices. They believe that the attackers might be exploiting vulnerabilities in the QNAP firmware or they might be using default passwords for the admin account. But this could not be verified.
When the attackers get an entry, the QSnatch malware is injected into the firmware, from where it takes full control of the device and then blocks future updates to the firmware to survive on the victim NAS.
CISA and NCSC states that the QSnatch group’s server infrastructure that was used in the second series of attacks is now down. But the QSnatch infections still remain active around the internet, on infected devices.
If you do not remove the malware, it will let the hackers a backdoor into company networks and direct access to NAS devices.
So all the companies and home users who use QNAP devices are advised to follow remediation and mitigation steps listed in the Taiwanese vendor’s support page to remove QSnatch and prevent future infections.