There is a massive malware campaign targeting Taiwanese QNAP's network-attached storage (NAS) appliances, dubbed QSnatch, that tends to steal data from over 62,000 compromised devices, with mostly Western Europe and North America targeted.
According to the US Cybersecurity & Infrastructure Security Agency (CISA) and UK's National Cyber Security Centre (NCSC), all QNAP's network-attached storage (NAS) appliances are potentially vulnerable to QSnatch malware, if the devices have not been updated with the latest security fixes.
The malware hit over 7,000 NAS devices in Germany alone, as reported by the German Computer Emergency Response Team (CERT-Bund).
What is QSnatch Malware mode of Operation?
QSnatch attack involves injecting the malware and using a domain generation algorithm (DGA) to establish a command-and-control (C&C) channel for remote communication with the infected devices and ex-filtrating of sensitive data.
While CISA and NCSC claims the campaign likely started in 2014, and climaxed at mid-2017 as it intensifies over the last few months with approximately 3,900 devices in the UK and 7,600 devices in the US already compromised. Albeit, the infrastructure used by the bad actors in both campaigns is no longer active.
The malware gains persistence by obstructing updates from getting to the infected QNAP device, which it accomplishes by "redirecting core domains used by NAS to local out-of-date versions, and thus prevent updates from getting installed.
How to Mitigate against QSnatch Malware
QSnatch comes with a broad range of capabilities, including a CGI password logger, credential scraper, SSH backdoor capable of executing arbitrary code, and a web shell functionality that enables the malware to access devices remotely.
Therefore, it is recommended that organizations should ensure that devices used have not been previously compromised, and if they detect any sign of compromise, they should run a factory reset on the device before performing firmware upgrade.
Additionally, organizations must verify that QNAP devices are purchased from reputable vendors, and that external connections are blocked when the device is intended for internal storage. And they should follow QNAP's security advisory to prevent further infection.