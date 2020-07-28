Infosecurity Group Websites
Latest
News

UK/US Governments Warn of QNAP NAS Malware

The UK and US governments have issued another joint cybersecurity alert, this time warning organizations about a strain of malware targeting network attached storage (NAS) devices from QNAP.

As of mid-June, the QSnatch malware (aka “Derek”) had infected 62,000 devices worldwide, including 3900 in the UK and 7600 in the US, according to the notice from GCHQ’s National Cyber Security Center (NCSC) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

This is the result of two campaigns, one running from 2014 to mid-2017 and the other starting in late 2018.

“Although the identities and objectives of the malicious cyber-actors using QSnatch are currently unknown, the malware is relatively sophisticated, and the cyber-actors demonstrate an awareness of operational security,” the alert said of the current campaign.

“The infection vector has not been identified, but QSnatch appears to be injected into the device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it. The attacker then uses a domain generation algorithm (DGA) to establish a command and control (C2) channel that periodically generates multiple domain names for use in C2 communications.”

QSnatch apparently features a credential scraper, SSH backdoor, CGI password logger, webshell functionality and the ability to exfiltrate a predetermined list of files, including system configs and log files.

It is said to achieve persistence by modifying the system host’s file to redirect domain names to out-of-date versions in order to prevent updates from installing on the NAS device itself.

The NCSC/CISA urged administrators to follow the guidance issued by QNAP last November.

“Once a device has been infected, attackers have been known to make it impossible for administrators to successfully run the needed firmware updates. This makes it extremely important for organizations to ensure their devices have not been previously compromised,” the notice added.

“Organizations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable.”

Of current infections, 46% of devices are located in Western Europe, while 15% are North American.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Blackbaud Breach Hits Nine More Universities

2
News

US Digital Bank Dave Admits Customer Data Breach

3
News

Garmin Outage Could Ground Aircraft

4
News

Phishing Scam Promises £400 Council Tax Cut

5
News

Sheffield Hallam University Confirms Blackbaud-Linked Data Breach

6
News

Vodafone Partners with Accenture to Offer Cybersecurity Services

1
News

Cosmetics Giant Avon Leaks 19 Million Records

2
News

UK/US Governments Warn of QNAP NAS Malware

3
Opinion

Securing Active Directory

4
News

Over Half of Universities Suffered Data Breach in Past Year

5
News

Virginia Startup CEO Charged with Investment Fraud

6
News

American Insurer Charged Over Sustained Data Breach

1
Webinar

Mitigating the Security Risks and Challenges of Office 365

2
Webinar

Identity Management for a Dynamic Workforce: Zero Trust Versus Risk-Based Security

3
Webinar

Key Technologies, Strategies and Tactics to Fight Phishing

4
Webinar

From Governance to Implementation to Results

5
Webinar

ISO 27701: The New Privacy Standard, and How You Can Get Certified and Compliant

6
Webinar

Faster Detection and Response with MITRE ATT&CK

1
Interview

Women in Cybersecurity: Proofpoint's Sherrod DeGrippo Answers Your Questions

2
News Feature

Russian Attacks on #COVID19 Vaccine Developers: How, Why and What Happens Next?

3
Interview

Interview: Arti Lalwani, Practice Lead for ISO Services, A-LIGN

4
Blog

NIST Password Guidelines: What You Need to Know

5
Opinion

Using Threat Deception to Thwart Malicious Insiders

6
Blog

Data Security and Third-Party IT Asset Disposition: A Paradox