Thousands of QNAP NAS devices infected with legacy malware

Close-up image of network-attached storage (NAS) device
(Image credit: Shutterstock)

Tens of thousands of network attached storage (NAS) devices manufactured by QNAP are potentially vulnerable to malware that prevents administrators from applying essential security patches.

While the QSnatch malware, also known as ‘Derek’, is no longer active, up to 62,000 QNAP devices are exposed to potential infection from two campaigns hackers ran since 2014, with the most recent ending in 2019.

Administrators are therefore being urged to patch their NAS devices immediately to avoid falling foul to legacy infections, according to an advisory by the National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA).

Prevalence is particularly high in the US and in Europe, with approximately 62,000 infected worldwide as of mid-June 2020. Approximately 7,600 were located in the US and approximately 3,900 in the UK alone.

“Once a device has been infected, attackers have been known to make it impossible for administrators to successfully run the needed firmware updates,” the joint advisory said. “This makes it extremely important for organisations to ensure their devices have not been previously compromised.

“Organisations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable. The usual checks to ensure that the latest updates are installed still apply. To prevent reinfection, this recommendation also applies to devices previously infected with QSnatch but from which the malware has been removed.”

Hackers behind the QSnatch malware ran an initial campaign in early 2014, which continued until mid-2017. The second started in late 2018 and was active until late 2019. The two campaigns were differentiated by the initial payload as well as the differences in capabilities. The majority of current infections, and the subject of the advisory, are as a result of the second wave of infections.

QSnatch contains multiple functionalities, including a password logger that logs successful authentications through a fake login page, as well as a credential scraper and secure shell (SSH) backdoor that allows for arbitrary code execution. This is in addition to webshell functionality for remote access.


How malware and bots steal your data

Protect your organisation with a layered defence


QSnatch also runs an exfiltration process that steals a predetermined list of files, including system configuration and log files. These are then encrypted with the cyber criminals’ public key and sent to their infrastructure by HTTPS.

All QNAP NAS devices are potentially vulnerable if they haven’t yet been updated with the latest security fixes. To prevent further infections, the NCSC and CISA advise that organisations take recommended measures in QNAP’s November 2019 advisory.

Administrators can also verify they have purchased QNAP devices from reputable sources, as well as block external connections when the device is intended to be used strictly for internal storage.

Since the QSnatch outbreak, QNAP has rolled out operating system patches, released a security advisory, published a press release, and contacted potentially affected users to urge an immediate update to their devices, a spokesperson told IT Pro.

“Currently from our observations, the situation has been gradually settling down with no obvious sign of new malware variation/another outbreak,” they added. “We will continue to advocate the importance of keeping OS and apps updated in order to mitigate from known vulnerabilities.”

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.