Stories
Slash Boxes
Comments

SoylentNews is people

UK/US Governments Warn of QNAP NAS Malware

posted by Fnord666 on Wednesday July 29 2020, @12:22PM   Printer-friendly
from the snatching-your-data dept.

upstart writes in with an IRC submission for RandomFactor:

UK/US Governments Warn of QNAP NAS Malware:

The UK and US governments have issued another joint cybersecurity alert, this time warning organizations about a strain of malware targeting network attached storage (NAS) devices from QNAP.

As of mid-June, the QSnatch malware (aka "Derek") had infected 62,000 devices worldwide, including 3900 in the UK and 7600 in the US, according to the notice from GCHQ's National Cyber Security Center (NCSC) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).

This is the result of two campaigns, one running from 2014 to mid-2017 and the other starting in late 2018.

[...] QSnatch apparently features a credential scraper, SSH backdoor, CGI password logger, webshell functionality and the ability to exfiltrate a predetermined list of files, including system configs and log files.

It is said to achieve persistence by modifying the system host's file to redirect domain names to out-of-date versions in order to prevent updates from installing on the NAS device itself.

The NCSC/CISA urged administrators to follow the guidance issued by QNAP last November.

[...] "Organizations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable."

Original Submission

 
This discussion has been archived. No new comments can be posted.
UK/US Governments Warn of QNAP NAS Malware | Log In/Create an Account | Top | 32 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by PartTimeZombie on Wednesday July 29 2020, @11:09PM (2 children)

    by PartTimeZombie (4827) on Wednesday July 29 2020, @11:09PM (#1028349)

    Windows has always turned file extensions off by default, so scammers know that if their worm is named nudevolleyball.exe.jpg every man and his dog will try to open it because everyone knows .jpgs are pictures.

    That is how the Anna Kournikova virus was spread so widely.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by RS3 on Thursday July 30 2020, @04:09AM

    by RS3 (6367) on Thursday July 30 2020, @04:09AM (#1028468)

    Nyet comrade. In Soviet Russia, Anna Kournikova virus spreads YOU!

  • (Score: 2) by Booga1 on Thursday July 30 2020, @06:03AM

    by Booga1 (6333) on Thursday July 30 2020, @06:03AM (#1028505)

    I remember a virus that tried to dodge that even for people that had file extensions set to visible. It was brilliantly long enough to make it truncated even when viewing it in File Explorer.
    It had the program icon of a Realplayer media file and a name like: HotTeens3sum.rm__________________________________________.exe

    P.S. Your example is slightly backwards. I should be "nudevolleyball.jpg.exe"