Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday July 29 2020, @12:22PM   Printer-friendly
from the snatching-your-data dept.

UK/US Governments Warn of QNAP NAS Malware:

The UK and US governments have issued another joint cybersecurity alert, this time warning organizations about a strain of malware targeting network attached storage (NAS) devices from QNAP.

As of mid-June, the QSnatch malware (aka "Derek") had infected 62,000 devices worldwide, including 3900 in the UK and 7600 in the US, according to the notice from GCHQ's National Cyber Security Center (NCSC) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).

This is the result of two campaigns, one running from 2014 to mid-2017 and the other starting in late 2018.

[...] QSnatch apparently features a credential scraper, SSH backdoor, CGI password logger, webshell functionality and the ability to exfiltrate a predetermined list of files, including system configs and log files.

It is said to achieve persistence by modifying the system host's file to redirect domain names to out-of-date versions in order to prevent updates from installing on the NAS device itself.

The NCSC/CISA urged administrators to follow the guidance issued by QNAP last November.

[...] "Organizations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by JoeMerchant on Thursday July 30 2020, @01:25PM (2 children)

    by JoeMerchant (3937) on Thursday July 30 2020, @01:25PM (#1028585)

    I found the uPnP hole because of a couple of outside connections to the camera I found while reviewing the logs, I think they originated in eastern Europe. There are bots that scan for those things all over... they got a good look at my yard outside - maybe saw the UPS man drive up, that's what we use it for.

    --
    🌻🌻 [google.com]
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by ledow on Thursday July 30 2020, @02:55PM (1 child)

    by ledow (5567) on Thursday July 30 2020, @02:55PM (#1028659) Homepage

    uPNP is a stupid idea. Turn it off on your router.

    On your local network, UPNP can be used for clients to discover each other on the local subnet. No problem. Your Chromecast will find your NAS, or your XBOX will find your router.

    What's STUPID is the part of uPNP that sits on the router and - and this is not exaggeration -:

    - Accepts any packet from the local network with a uPNP request.
    - Opens the port on the router from the outside world as specified in that packet.
    - Redirects all traffic to/from that port to the device that asked for it, on the port that it asks for.
    - Never, at any point, asks for authorisation for this.
    - Often, with most routers, silently, without warning, and without record, log or page where you can check what it's forwarding and for whom.

    So literally one packet on your local network, and I expose your Samba port to the Internet, or poke myself a direct hole to your Samba port on your machine, or the admin port on the local router, or anything I like. Literally any outside IP, any incoming port, to any internal IP, on any internal port.

    Without you knowing.

    It's ridiculous, stupid, dangerous and unnecessary. Turn it off on all your routers. No, not the *client* part on your laptop. On the router. Everything else can have uPNP stay on, that's an entirely different part of the protocol.

    And watch as all your torrents, XBoxes, online gaming, matchmaking, Skype, whatever.... don't care a jot and work perfectly well without it.

    • (Score: 2) by JoeMerchant on Thursday July 30 2020, @03:44PM

      by JoeMerchant (3937) on Thursday July 30 2020, @03:44PM (#1028710)

      Yeah, I was pretty shocked that such a "feature" existed on a box that amounts to 99% of my home cybersecurity plan.

      It's the sort of thing that should come with a BLACKBOX warning on page 1 of the manual, repeating at the start of the chapter it's in, again on the page, along with a flashing red message on the PDF versions, and with all that, it should still be off by default.

      I'm sure it was created for the "plug and play, just works" crowd, and 90% of the world will write great reviews for products that all they have to do is plug it into the wall and their widgets are doing whatever it is they expected them to do when they bought them, without having to read (or know) anything about how it works.

      --
      🌻🌻 [google.com]