UK/US Governments Warn of QNAP NAS Malware

The UK and US governments have issued another joint cybersecurity alert, this time warning organizations about a strain of malware targeting network attached storage (NAS) devices from QNAP.

As of mid-June, the QSnatch malware (aka “Derek”) had infected 62,000 devices worldwide, including 3900 in the UK and 7600 in the US, according to the notice from GCHQ’s National Cyber Security Center (NCSC) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

This is the result of two campaigns, one running from 2014 to mid-2017 and the other starting in late 2018.

“Although the identities and objectives of the malicious cyber-actors using QSnatch are currently unknown, the malware is relatively sophisticated, and the cyber-actors demonstrate an awareness of operational security,” the alert said of the current campaign.

“The infection vector has not been identified, but QSnatch appears to be injected into the device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it. The attacker then uses a domain generation algorithm (DGA) to establish a command and control (C2) channel that periodically generates multiple domain names for use in C2 communications.”

QSnatch apparently features a credential scraper, SSH backdoor, CGI password logger, webshell functionality and the ability to exfiltrate a predetermined list of files, including system configs and log files.

It is said to achieve persistence by modifying the system host’s file to redirect domain names to out-of-date versions in order to prevent updates from installing on the NAS device itself.

The NCSC/CISA urged administrators to follow the guidance issued by QNAP last November.

“Once a device has been infected, attackers have been known to make it impossible for administrators to successfully run the needed firmware updates. This makes it extremely important for organizations to ensure their devices have not been previously compromised,” the notice added.

“Organizations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable.”

Of current infections, 46% of devices are located in Western Europe, while 15% are North American.

What’s Hot on Infosecurity Magazine?