Sunday, September 8, 2024
HomeComputer SecurityCISA Warns that More than 62,000 QNAP NAS Devices Affected with QSnatch...

CISA Warns that More than 62,000 QNAP NAS Devices Affected with QSnatch Malware

Published on

CISA and NCSC warn that more than 62,000 QNAP NAS devices infected with a malware strain known as QSnatch. All QNAP NAS devices are affected if the latest security fixes are not applied.

The campaign found to be active since late 2019, and they primarily target Network Attached Storage (NAS) devices manufactured by the firm QNAP.

QSnatch Malware Campaign

CISA and NCSC discovered that two campaigns of QSnatch malware activity;

  1. The first campaign began in early 2014 and continued until mid-2017
  2. The second campaign starts in late 2018 and was still active in late 2019.
- Advertisement - EHA

“This alert focuses on the second campaign as it is the most recent threat. It is important to note that infrastructure used by the malicious cyber actors in both campaigns is not currently active, but the threat remains to unpatched devices.,” CISA said.

The malware is highly sophisticated, and its infection vector has not been identified. It appears the malware directly gets inject to the device firmware during the infection stage and the malicious code runs within the device compromising it.

Following are the malware functionalities

  • CGI password logger
  • Credential scraper
  • SSH backdoor
  • Exfiltration
  • Webshell functionality for remote access

C2 communication established using a domain generation algorithm (DGA) that generates multiple domain names for use in C2 communications.

For maintaining persistence the malware prevents installing updates with the infected QNAP device by modifying the host’s file.

According to CISA analysis, “in mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, approximately 7,600 were in the United States and 3,900 were in the United Kingdom.”

CISA and NCSC recommend organizations running a vulnerable version must run a full factory reset on the device before completing the firmware upgrade to ensure the device is not left vulnerable. Also, CISA provides mitigations for organizations.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

Hackers Infect More than 500,000 Routers Worldwide with a Potentially Destructive VPNFilter Malware

New eCh0raix Ransomware Attacking Linux File Storage Servers

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Researchers Unpacked AvNeutralizer EDR Killer Used By FIN7 Group

FIN7 (aka Carbon Spider, ELBRUS, Sangria Tempest) is a Russian APT group that is...

Lazarus Hackers Attacking Job-Seekers to Deliver Javascript Malware

The Lazarus Group is one of the most notorious hacker groups linked to the...