Security News > 2020 > July > Data-stealing, password-harvesting, backdoor-opening QNAP NAS malware cruises along at 62,000 infections

Data-stealing, password-harvesting, backdoor-opening QNAP NAS malware cruises along at 62,000 infections
2020-07-27 21:07

QNAP network-attached storage boxes are right now infected with the data-stealing QSnatch malware, the US and UK governments warned today.

A joint statement from America's Cybersecurity and Infrastructure Security Agency and Britain's National Cyber Security Centre said the software nasty, first spotted in October, has hijacked tens of thousands as of mid-June, 2020, with "a particularly high number of infections in North America and Europe." It is estimated 7,600 hijacked QNAP boxes were in America, and 3,900 in the UK. The situation is particularly messy because Taiwan-based QNAP has not, to the best of our knowledge, disclosed exactly how the malware breaks into vulnerable boxes, advising simply that owners should ensure the latest firmware is installed to prevent future infection.

"The usual checks to ensure that the latest updates are installed still apply. To prevent reinfection, this recommendation also applies to devices previously infected with QSnatch but from which the malware has been removed. To prevent QSnatch malware infections, CISA and NCSC strongly recommend that organizations take the recommended measures in QNAP's November 2019 advisory."

What makes QSnatch particularly nasty said CISA AND NCSC, is its ability to persist on all unpatched QNAP NAS models by knackering the firmware update mechanism by altering DNS settings: "The malware appears to gain persistence by preventing updates from installing on the infected QNAP device. The attacker modifies the system host's file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed."

A spokesperson for QNAP told The Register: "From our observations, the situation has been gradually settling down with no obvious sign of new malware variation or another outbreak." .


News URL

https://go.theregister.com/feed/www.theregister.com/2020/07/27/qnap_qsnatch_advisory/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Qnap 80 4 97 122 76 299