IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Thousands of QNAP NAS devices infected with legacy malware

Infection rates are high with roughly 4,000 devices in the UK infected with QSnatch as of June 2020

Tens of thousands of network attached storage (NAS) devices manufactured by QNAP are potentially vulnerable to malware that prevents administrators from applying essential security patches.

While the QSnatch malware, also known as ‘Derek’, is no longer active, up to 62,000 QNAP devices are exposed to potential infection from two campaigns hackers ran since 2014, with the most recent ending in 2019. 

Administrators are therefore being urged to patch their NAS devices immediately to avoid falling foul to legacy infections, according to an advisory by the National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA).

Prevalence is particularly high in the US and in Europe, with approximately 62,000 infected worldwide as of mid-June 2020. Approximately 7,600 were located in the US and approximately 3,900 in the UK alone.

“Once a device has been infected, attackers have been known to make it impossible for administrators to successfully run the needed firmware updates,” the joint advisory said. “This makes it extremely important for organisations to ensure their devices have not been previously compromised.

“Organisations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable. The usual checks to ensure that the latest updates are installed still apply. To prevent reinfection, this recommendation also applies to devices previously infected with QSnatch but from which the malware has been removed.”

Hackers behind the QSnatch malware ran an initial campaign in early 2014, which continued until mid-2017. The second started in late 2018 and was active until late 2019. The two campaigns were differentiated by the initial payload as well as the differences in capabilities. The majority of current infections, and the subject of the advisory, are as a result of the second wave of infections. 

QSnatch contains multiple functionalities, including a password logger that logs successful authentications through a fake login page, as well as a credential scraper and secure shell (SSH) backdoor that allows for arbitrary code execution. This is in addition to webshell functionality for remote access. 

Related Resource

How malware and bots steal your data

Protect your organisation with a layered defence

Download now

QSnatch also runs an exfiltration process that steals a predetermined list of files, including system configuration and log files. These are then encrypted with the cyber criminals’ public key and sent to their infrastructure by HTTPS.

All QNAP NAS devices are potentially vulnerable if they haven’t yet been updated with the latest security fixes. To prevent further infections, the NCSC and CISA advise that organisations take recommended measures in QNAP’s November 2019 advisory.

Administrators can also verify they have purchased QNAP devices from reputable sources, as well as block external connections when the device is intended to be used strictly for internal storage.

Since the QSnatch outbreak, QNAP has rolled out operating system patches, released a security advisory, published a press release, and contacted potentially affected users to urge an immediate update to their devices, a spokesperson told IT Pro.

“Currently from our observations, the situation has been gradually settling down with no obvious sign of new malware variation/another outbreak,” they added. “We will continue to advocate the importance of keeping OS and apps updated in order to mitigate from known vulnerabilities.”

Featured Resources

AI for customer service

IBM Watson Assistant solves customer problems the first time

View now

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Free Download

IBM FlashSystem 5000 and 5200 for mid-market enterprises

Manage rapid data growth within limited IT budgets

Free download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

14 Nov 2022
Windows users now able to run Linux apps and distros natively
Microsoft Windows

Windows users now able to run Linux apps and distros natively

24 Nov 2022