Sunday, June 1, 2025
Follow us On Linkedin
HomeComputer SecurityCISA Warns that More than 62,000 QNAP NAS Devices Affected with QSnatch...

CISA Warns that More than 62,000 QNAP NAS Devices Affected with QSnatch Malware

Computer SecurityMalware

Published on

By Gurubaran
QSnatch Malware

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

CISA and NCSC warn that more than 62,000 QNAP NAS devices infected with a malware strain known as QSnatch. All QNAP NAS devices are affected if the latest security fixes are not applied.

The campaign found to be active since late 2019, and they primarily target Network Attached Storage (NAS) devices manufactured by the firm QNAP.

QSnatch Malware Campaign

CISA and NCSC discovered that two campaigns of QSnatch malware activity;

  1. The first campaign began in early 2014 and continued until mid-2017
  2. The second campaign starts in late 2018 and was still active in late 2019.
- Advertisement - Google News

“This alert focuses on the second campaign as it is the most recent threat. It is important to note that infrastructure used by the malicious cyber actors in both campaigns is not currently active, but the threat remains to unpatched devices.,” CISA said.

The malware is highly sophisticated, and its infection vector has not been identified. It appears the malware directly gets inject to the device firmware during the infection stage and the malicious code runs within the device compromising it.

Following are the malware functionalities

  • CGI password logger
  • Credential scraper
  • SSH backdoor
  • Exfiltration
  • Webshell functionality for remote access

C2 communication established using a domain generation algorithm (DGA) that generates multiple domain names for use in C2 communications.

For maintaining persistence the malware prevents installing updates with the infected QNAP device by modifying the host’s file.

According to CISA analysis, “in mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, approximately 7,600 were in the United States and 3,900 were in the United Kingdom.”

CISA and NCSC recommend organizations running a vulnerable version must run a full factory reset on the device before completing the firmware upgrade to ensure the device is not left vulnerable. Also, CISA provides mitigations for organizations.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

Hackers Infect More than 500,000 Routers Worldwide with a Potentially Destructive VPNFilter Malware

New eCh0raix Ransomware Attacking Linux File Storage Servers

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Azure

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...
cyber security

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...
cyber security

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...
AI

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

Register Now

More like this

AI

Hackers Use AI-Generated Videos on TikTok to Spread Info-Stealing Malware

TrendMicro has uncovered a sophisticated campaign where threat actors are exploiting TikTok to distribute...
cyber security

Novel Malware Evades Detection by Skipping PE Header in Windows

Researchers have identified a sophisticated new strain of malware that bypasses traditional detection mechanisms...
cyber security

New Rust-Based InfoStealer Uses Fake CAPTCHA to Deliver EDDIESTEALER

A newly discovered Rust-based infostealer, dubbed EDDIESTEALER, has been uncovered by Elastic Security Labs,...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved