Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday November 11 2019, @09:16AM   Printer-friendly
from the closing-the-barn-door dept.

Submitted via IRC for soylent_aqua

QNAP Warns Users to Secure Devices Against QSnatch Malware

Network-attached storage (NAS) maker QNAP urges customers to secure their NAS devices against an ongoing malicious campaign that infects them with QSnatch malware capable of stealing user credentials.

QNAP advises users to install the latest version of the Malware Remover app for the QTS operating system running on the company's NAS devices as soon as possible.

Malware Remover 3.5.4.0 and 4.5.4.0 versions are now capable of removing QSnatch after new rules were added by the company updated it on November 1.

"Users are urged to install the latest version of the Malware Remover app from QTS App Center or by manual downloading from the QNAP website," says QNAP.

"Users are advised to take actions listed in the security advisory or, alternatively, contact QNAP for technical assistance. Instructions for creating a support request can be found here."

Researchers at the National Cyber Security Centre of Finland (NCSC-FI) found in late October that thousands of QNAP NAS devices infected with QSnatch had their firmware injected with malicious code.

The malware harvests and exfiltrates user credentials found on compromised NAS devices, and it is also capable of loading malicious code retrieved from its command and control (C2) servers.

Germany's Computer Emergency Response Team (CERT-Bund) said at the time that, based on sinkhole data, around 7,000 NAS devices in Germany were impacted by QSnatch infections.

NCSC-FI found that QSnatch gets injected into the firmware of QNAP NAS devices during the infection stage, with the malicious code being "run as part of normal operations within the device."

After infecting the firmware, the device is compromised and the malware uses "domain generation algorithms to retrieve more malicious code from C2 servers."

The payloads it downloads from the C2 server is launched on infected QNAP NAS devices with system rights and it will perform the following actions:

• Operating system timed jobs and scripts are modified (cronjob, init scripts)
• Firmware updates are prevented via overwriting update sources completely
• QNAP MalwareRemover App is prevented from being run
• All usernames and passwords related to the device are retrieved and sent to the C2 server
• The malware has modular capacity to load new features from the C2 servers for further activities
• Call-home activity to the C2 servers is set to run with set intervals


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by bradley13 on Monday November 11 2019, @08:27PM (1 child)

    by bradley13 (3053) on Monday November 11 2019, @08:27PM (#919059) Homepage Journal

    Our Qnap is also quite old, and I am pleasantly surprised that regular updates are available, sometime including significant new features.

    They do deserve a lot of credit for not abandoning older equipment, as so many other manufacturers seem to do. A company with a long-term perspective? Works for me: my next NAS will also be a Qnap.

    --
    Everyone is somebody else's weirdo.
    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 3, Interesting) by PartTimeZombie on Monday November 11 2019, @09:02PM

    by PartTimeZombie (4827) on Monday November 11 2019, @09:02PM (#919075)

    I agree. It is a pleasant surprise.

    Considering how old my device is, and how much it cost (free!) it has been pretty good value for money.

    When one of the junior Zombies moves out of home with his girlfriend I might give it to him so that we can do offsite backups to each other's storage over a VPN.