Cybersecurity Agencies Warn of QSnatch Malware Threat Targeting QNAP Devices
In a joint advisory issued by cybersecurity agencies in the United States and the United Kingdom, significant warnings have been raised regarding an ongoing malware threat known as QSnatch, which is affecting network-attached storage (NAS) devices produced by Taiwanese company QNAP. This malicious software, also referred to as Derek, has reportedly compromised around 62,000 devices worldwide, with the highest infection rates concentrated in Western Europe and North America.
According to the alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC), every QNAP NAS device may be susceptible to the QSnatch malware unless equipped with the latest security updates. Furthermore, it has been noted that once a device is infected, attackers can hinder the efforts of administrators attempting to execute firmware updates, thereby maintaining their foothold on the compromised systems.
While the precise infection vector responsible for the compromises remains unclear, it is believed that the initial attack campaign commenced in 2014 and continued until mid-2017. Recently, there has been a resurgence of activity, resulting in the infection of approximately 7,600 devices in the U.S. and about 3,900 in the U.K. Reports indicate that over 7,000 NAS devices were targeted in Germany alone by October 2019.
The malicious actors behind the QSnatch campaigns have leveraged sophisticated techniques such as injecting malware during the initial compromise and using a domain generation algorithm (DGA) to facilitate command-and-control (C2) communication with the infected devices. This approach aids in the exfiltration of sensitive data.
The advisory underlines that the two identified attack campaigns differ in their initial payloads and their operational capabilities. The latest iteration of QSnatch includes a range of advanced features such as a CGI password logger designed to mimic an administrator login screen, a credential scraper, and an SSH backdoor capable of executing arbitrary code on the infected machines. Such features underscore the advanced level of sophistication and intent behind the malware.
In addition, the malware extends its persistence by blocking updates from being installed on affected QNAP devices. This prevention is accomplished through redirecting crucial domain names to outdated local versions, ensuring updates cannot successfully complete.
CISA and NCSC have strongly urged organizations to verify that their devices are not already compromised. They recommend conducting a full factory reset on any infected device prior to installing firmware upgrades and adhering closely to QNAP’s security advisory to mitigate future risks. These advisories include confirming the legitimacy of purchased QNAP products and blocking external connections on devices intended solely for internal storage.
The QSnatch malware incident serves as a critical reminder of the ongoing dangers posed by cyber threats to organizations worldwide. As businesses increasingly rely on digital storage solutions, it remains vital to adopt comprehensive security measures. Awareness of tactics outlined in the MITRE ATT&CK framework, including initial access, persistence, and privilege escalation, should guide organizations in fortifying their defenses against evolving cyber threats.
