Last week, Finland’s National Cybersecurity Center (NCSC-FI) warned of a new malware attack on the QNAP NAS. Now it has become known that the QSnatch malware has infected thousands of QNAP NAS devices.The warning about the new threat was already published by the German CERT experts, adding that the QSnatch malware had already infected more than 7000 devices in Germany alone.
How exactly QSnatch is distributed is still unclear, however, researchers have already figured out how it works.
The original infection method remains unknown, but during that phase malicious code is injected to the firmware of the target system, and the code is then run as part of normal operations within the device”, — reported NCSC-FI specialists.
Having gained access to the device, the malware makes changes to the firmware to guarantee itself a constant presence on the device. QSnatch is also capable of:
- making changes to scheduled tasks and scripts (cronjob, init);
- preventing firmware updates by rewriting the URLs of the update source;
- prohibiting the launch of the QNAP MalwareRemover security application;
- retrieving and stealing usernames and passwords of all NAS users.
Unfortunately, all this does not allow us to determine what the ultimate goal of QSnatch is. It is still unclear whether the malware was developed for DDoS attacks, hidden cryptocurrency mining, or is it just a backdoor for QNAP devices designed to steal confidential files or future host malware.
So far, QSnatch operators are just creating their botnet and can deploy additional modules in the future. Experts confirm that QSnatch is able to connect to a remote management server, download and run additional components from there.
Currently, the only method to uninstall QSnatch is completely reset the device to factory settings.
Some users also note that updating the firmware to the version released in February 2019 also fixes the problem, but neither NCSC-FI nor QNAP engineers confirm that it helps get rid of QSnatch and prevent re-infections.
After cleansing the device further steps are required (recommendations from NCSC-FI):
- Change all passwords for all accounts on the device
- Remove unknown user accounts from the device
- Make sure the device firmware is up-to-date and all of the applications are also updated
- Remove unknown or unused applications from the device
- Install QNAP MalwareRemover application via the App Center functionality
- Set an access control list for the device (Control panel -> Security -> Security level)
NCSC-FI recommends that NAS devices are categorically not exposed to the internet without firewalling to prevent external attacks. Additionally constant updates will provide protection against vulnerabilities found within the systems.
User Review( votes)