Threat Alert

by IthacaLabs™

THREAT LEVEL/High 29/07/2020

New Massive Ongoing Campaign Spreading The QSnatch Data-Stealing Malware To QNAP Devices

Threat Level Description

Threat Level: High - An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a new massive ongoing campaign, that spreads the “QSnatch” data-stealing malware to Taiwanese QNAP’s network-attached storage (NAS) appliances, has been identified.

The data stealing malware, named “QSnatch” targets QNAP NAS devices and has already compromised more than 62,000 devices.

QNAP Systems, Inc. is a Taiwanese corporation that specializes in Network-attached storage appliances used for file sharing, virtualization, storage management and surveillance applications.

The latest version of “QSnatch” comes with a broad range of features, including a CGI password logger that uses a fake admin login screen to capture passwords, a credential scraper, an SSH backdoor and a web shell functionality to access the device remotely.

Once a device has been infected, attackers could prevent administrators from successfully running firmware updates.

Note that the original infection method still remains unknown, but during the infection phase, malicious code is injected to the firmware of the target system. Then, the code runs as part of normal operations within the device. As a result, the device is considered as compromised.

Furthermore, the “QSnatch” uses domain generation algorithms to retrieve more malicious code from C2 servers. The retrieval method is “HTTP GET https:///qnap_firmware.xml?=t“.

CVE(s)

N/A

Affected Systems

  • Possibly all QNAP NAS devices.
  • Recommendation(s)

    The malware can be removed from an infected device by performing a full factory reset (effectively destroying all stored data within the device).

    After cleansing the device further steps are required:

    • Change all passwords for all accounts on the device
    • Remove unknown user accounts from the device
    • Make sure the device firmware is up-to-date and all of the applications are also updated
    • Remove unknown or unused applications from the device
    • Install QNAP MalwareRemover application via the App Center functionality
    • Set an access control list for the device (Control panel -> Security -> Security level)
    Furthermore, it is recommended to follow QNAP's security advisory to prevent the infection (“https://www.qnap.com/en/security-advisory/nas-201911-01”).
    You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

    References

    Get the latest Threat Alerts in your inbox.