Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

US, UK Warn of Malware Targeting QNAP NAS Devices

In a joint alert this week, the United States and the United Kingdom warned that a piece of malware has infected over 62,000 QNAP network-attached storage (NAS) devices.

In a joint alert this week, the United States and the United Kingdom warned that a piece of malware has infected over 62,000 QNAP network-attached storage (NAS) devices.

Dubbed QSnatch, the malware was first observed last year, and QNAP in November issued a security advisory to alert users of the risks associated with it and to provide recommendations on how they can remain protected.

At the time, the company revealed that QSnatch was designed to harvest confidential information from the compromised devices, including login credentials and system configuration.

“Due to these data breach concerns, QNAP devices that had been infected may still be vulnerable to reinfection after removing the malware,” the company said.

In their joint alert, the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) warn that all NAS devices from QNAP might be vulnerable to QSnatch.

“The malware, documented in open-source reports, has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates,” the alert reads.

The two agencies said they identified two QSnatch campaigns, one likely running between 2014 and 2017, and another that started in late 2018 and remained active until at least late 2019, and also revealed that there were approximately 62,000 infected devices around the world as of June 2020.

Although the infrastructure used in these campaigns is no longer active, “the threat remains to unpatched devices,” CISA and NCSC say.

Advertisement. Scroll to continue reading.

The malware, they note, installs a fake device admin page to steal credentials, contains an SSH backdoor to enable code execution, features a credentials scrapper and webshell functionality to enable remote access, and can exfiltrate data to the attackers’ server over HTTPS.

“The malware appears to gain persistence by preventing updates from installing on the infected QNAP device. The attacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed,” the alert reads.

To stay protected from this threat, users are advised to install the latest available security patches. Those who run vulnerable versions of the firmware are advised to perform a full factory reset before updating the firmware, to ensure that the threat is removed, the alert reads.

CISA and NCSC recommend that organizations take all the necessary measures described by QNAP in its November 2019 advisory.

Related: Vulnerabilities Exposed Hundreds of Thousands of QNAP NAS Devices to Attacks

Related: Storage Maker QNAP Warns of Malware Targeting Its NAS Devices

Related: Ransomware Targets QNAP Linux Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...