QNAP NAS Infected with Malware

QNAP NAS Devices infected with Malware that steals data

QNAP NAS devices are in big trouble as the devices gets infected with a malware that steals the data. Cyber security agencies of US and UK issued a joint advisory about massive threat of a malware infecting the Taiwanese QNAP Network Attached Storage (NAS) devices.

This new malware is called QSnatch and is said to have infected over 62,000 QNAP NAS devices. However the first reports emerged last year in October 2019 and the infection of the malware has spread since then especially North America and Western Europe.

The statement regarding QNAP NAS devices

The US’s Cyber security and infrastructure security agency also known as CISA and UK’s National cyber security center also known as NCSC, has issued a statement on 27th July 2020 that all QNAP NAS appliances are potentially vulnerable to the new QSnatch malware if they’re not updated with all the latest security patches and fixes that are available. Also once the device is successfully infected with the malware it can stop or possibly block the administrator from running the updates of firmware.

The mode of compromise is still not clear however both CISA and NCSC have claimed that the first transmission of the QSnatch malware likely begin the year 2014 and then it continued till the mid of 2017. It only intensified in the last few months and have infected approximately 7,600 devices alone in US and 3,900 devices in the UK alone.

Previously, last year in the month of October i.e in October 2019, Over 7,000 QNAP NAS devices were targeted in the Germany alone, as it was revealed in the statement made by German computer emergency response team also known as CERT-Bund.

According to both the agencies the infrastructure that was used previously to infect the devices is not currently active, however, this new second wave involve an injection of Malware during the infection phase and then it uses a DGA also known as domain generation algorithm to setup a command and control for communicating remotely with the devices that are infected so the attacker on the other side can extract the sensitive data easily.

The Qsnatch Malware analysis

The following analysis if the new Qsnatch malware is done by the agencies from US and UK which shows what kind of capabilities this malware has

  • The CGI Password Logger

This kind of has a similar functionality when compared with the “Overlays feature” from the BlackRock Malware, the only difference is that CGI password logger is made for stealing passwords, it displays fake login screen and authenticates and sends the data to attacker and redirects the user to the original login page.

  • Credentials scrapper 
  • SSH Backdoor

This SSH backdoor allows the malware to run or execute the “Arbitrary code” on the infected QNAP NAS device.

  • Exfiltration

This is the feature/tool when executed, it allows the QSnatch malware to steal the system configuration files as well as the log files these are encrypted with the public key and is sent to attacker’s side over HTTPS connection.

  • Web Shell for Remote access/Remote communication

Along with all these features the Malware gains persistence or permanent access by blocking the administrator to the firmware updates i.e in other words it doesn’t let you install updates on the infected QNAP NAS devices, which can fix the vulnerability. This is done by redirecting the “Core domain names” which are used by the NAS device to install the updates to local and out-of-date domains so the updates can never be installed.

The Preventive Measure for infected ONAP NAS devices

The CISA and NCSC agencies have urged all the organizations using the NAS devices from QNAP to make sure that if the devices that owned is infected or not. if they’re infected then they are asked to run complete “Factory reset” on the device and run updates as soon as possible to fix the vulnerability.

The official website of QNAP has released all the preventive measures and counter measures that we urge fellow organizations to follow – Security Advisory for Malware QSnatch.