Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday November 11 2019, @09:16AM   Printer-friendly
from the closing-the-barn-door dept.

Submitted via IRC for soylent_aqua

QNAP Warns Users to Secure Devices Against QSnatch Malware

Network-attached storage (NAS) maker QNAP urges customers to secure their NAS devices against an ongoing malicious campaign that infects them with QSnatch malware capable of stealing user credentials.

QNAP advises users to install the latest version of the Malware Remover app for the QTS operating system running on the company's NAS devices as soon as possible.

Malware Remover 3.5.4.0 and 4.5.4.0 versions are now capable of removing QSnatch after new rules were added by the company updated it on November 1.

"Users are urged to install the latest version of the Malware Remover app from QTS App Center or by manual downloading from the QNAP website," says QNAP.

"Users are advised to take actions listed in the security advisory or, alternatively, contact QNAP for technical assistance. Instructions for creating a support request can be found here."

Researchers at the National Cyber Security Centre of Finland (NCSC-FI) found in late October that thousands of QNAP NAS devices infected with QSnatch had their firmware injected with malicious code.

The malware harvests and exfiltrates user credentials found on compromised NAS devices, and it is also capable of loading malicious code retrieved from its command and control (C2) servers.

Germany's Computer Emergency Response Team (CERT-Bund) said at the time that, based on sinkhole data, around 7,000 NAS devices in Germany were impacted by QSnatch infections.

NCSC-FI found that QSnatch gets injected into the firmware of QNAP NAS devices during the infection stage, with the malicious code being "run as part of normal operations within the device."

After infecting the firmware, the device is compromised and the malware uses "domain generation algorithms to retrieve more malicious code from C2 servers."

The payloads it downloads from the C2 server is launched on infected QNAP NAS devices with system rights and it will perform the following actions:

• Operating system timed jobs and scripts are modified (cronjob, init scripts)
• Firmware updates are prevented via overwriting update sources completely
• QNAP MalwareRemover App is prevented from being run
• All usernames and passwords related to the device are retrieved and sent to the C2 server
• The malware has modular capacity to load new features from the C2 servers for further activities
• Call-home activity to the C2 servers is set to run with set intervals


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Informative) by bradley13 on Monday November 11 2019, @10:36AM (4 children)

    by bradley13 (3053) on Monday November 11 2019, @10:36AM (#918887) Homepage Journal

    I only skimmed the security advisory, but I gather that this malware is usually installed via a brute-force attack on the admin account. Which means that the admin account is exposed to the Internet.

    Um... I know there are all sorts of use-cases out there, but, really? Why would you expose the web interface of your NAS to the internet? Seems like a NAS ought to be behind a firewall, and only visible to authorized users. Even if some of the plug-ins you can install on a QNAP are providing Internet-visible services, the admin interface has no business being visible.

    Are there Darwin Awards for sys-admins?

    --
    Everyone is somebody else's weirdo.
    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 5, Interesting) by bradley13 on Monday November 11 2019, @10:43AM

    by bradley13 (3053) on Monday November 11 2019, @10:43AM (#918889) Homepage Journal

    Oh, I meant to add a rant: The "malware remover" doesn't tell you what it's findings are. I went through a phase where it claimed to have found something, but it provides zero information on what it has actually found. Zip, nada, nothing. It just tells you that it found something and removed it. In my case, I am 99.99999% sure this was a false positive. But since I have no information on what it found, there's no way to be sure. If it wasn't a false positive, that same missing information would be the clue to figure out what the malware was, as well as when and how it made its way onto the NAS.

    Providing absolutely no information is just unbelievably dumb.

    --
    Everyone is somebody else's weirdo.
  • (Score: 4, Interesting) by PartTimeZombie on Monday November 11 2019, @07:19PM (2 children)

    by PartTimeZombie (4827) on Monday November 11 2019, @07:19PM (#919027)

    The Qnap device I own has two NICs and can be used as the firewall, router, IPS/IDS DNS etc for the LAN.

    I choose to not use mine in that fashion however, as I don't really trust it. Mine is used as network disc space to back up to and it does that job fine, but not exposed to the Internet.

    To be fair, Qnap still offer updates for it, even though it must be 10 years old now.

    • (Score: 4, Interesting) by bradley13 on Monday November 11 2019, @08:27PM (1 child)

      by bradley13 (3053) on Monday November 11 2019, @08:27PM (#919059) Homepage Journal

      Our Qnap is also quite old, and I am pleasantly surprised that regular updates are available, sometime including significant new features.

      They do deserve a lot of credit for not abandoning older equipment, as so many other manufacturers seem to do. A company with a long-term perspective? Works for me: my next NAS will also be a Qnap.

      --
      Everyone is somebody else's weirdo.
      • (Score: 3, Interesting) by PartTimeZombie on Monday November 11 2019, @09:02PM

        by PartTimeZombie (4827) on Monday November 11 2019, @09:02PM (#919075)

        I agree. It is a pleasant surprise.

        Considering how old my device is, and how much it cost (free!) it has been pretty good value for money.

        When one of the junior Zombies moves out of home with his girlfriend I might give it to him so that we can do offsite backups to each other's storage over a VPN.