Submitted via IRC for soylent_aqua
QNAP Warns Users to Secure Devices Against QSnatch Malware
Network-attached storage (NAS) maker QNAP urges customers to secure their NAS devices against an ongoing malicious campaign that infects them with QSnatch malware capable of stealing user credentials.
QNAP advises users to install the latest version of the Malware Remover app for the QTS operating system running on the company's NAS devices as soon as possible.
Malware Remover 3.5.4.0 and 4.5.4.0 versions are now capable of removing QSnatch after new rules were added by the company updated it on November 1.
"Users are urged to install the latest version of the Malware Remover app from QTS App Center or by manual downloading from the QNAP website," says QNAP.
"Users are advised to take actions listed in the security advisory or, alternatively, contact QNAP for technical assistance. Instructions for creating a support request can be found here."
Researchers at the National Cyber Security Centre of Finland (NCSC-FI) found in late October that thousands of QNAP NAS devices infected with QSnatch had their firmware injected with malicious code.
The malware harvests and exfiltrates user credentials found on compromised NAS devices, and it is also capable of loading malicious code retrieved from its command and control (C2) servers.
Germany's Computer Emergency Response Team (CERT-Bund) said at the time that, based on sinkhole data, around 7,000 NAS devices in Germany were impacted by QSnatch infections.
NCSC-FI found that QSnatch gets injected into the firmware of QNAP NAS devices during the infection stage, with the malicious code being "run as part of normal operations within the device."
After infecting the firmware, the device is compromised and the malware uses "domain generation algorithms to retrieve more malicious code from C2 servers."
The payloads it downloads from the C2 server is launched on infected QNAP NAS devices with system rights and it will perform the following actions:
• Operating system timed jobs and scripts are modified (cronjob, init scripts)
• Firmware updates are prevented via overwriting update sources completely
• QNAP MalwareRemover App is prevented from being run
• All usernames and passwords related to the device are retrieved and sent to the C2 server
• The malware has modular capacity to load new features from the C2 servers for further activities
• Call-home activity to the C2 servers is set to run with set intervals
Related Stories
Beginning around June 1, A wave of eCh0raix/QNAPCrypt ransomware attacks has been observed targeting QNAP NAS devices. Vectors employed to compromise the devices are exploiting known vulnerabilities and brute-force attacks on weak passwords.
QNAP already addressed the vulnerabilities issues in the following QTS versions:
- QTS 4.4.2.1270 build 20200410 and later
- QTS 4.4.1.1261 build 20200330 and later
- QTS 4.3.6.1263 build 20200330 and later
- QTS 4.3.4.1282 build 20200408 and later
- QTS 4.3.3.1252 build 20200409 and later
- QTS 4.2.6 build 20200421 and later
--- QNAP Advisory: Multiple Vulnerabilities in File Station. (June 5, 2020)
As would be expected, "QNAP strongly recommends updating your QTS to the latest available version for your NAS model."
The ransomware is attributed to the financially motivated Russian cybercrime group 'FullofDeep', the attackers are demanding $500 in bitcoin to decrypt files, which are encrypted with AES CFB.
(Score: 4, Informative) by bradley13 on Monday November 11 2019, @10:36AM (4 children)
I only skimmed the security advisory, but I gather that this malware is usually installed via a brute-force attack on the admin account. Which means that the admin account is exposed to the Internet.
Um... I know there are all sorts of use-cases out there, but, really? Why would you expose the web interface of your NAS to the internet? Seems like a NAS ought to be behind a firewall, and only visible to authorized users. Even if some of the plug-ins you can install on a QNAP are providing Internet-visible services, the admin interface has no business being visible.
Are there Darwin Awards for sys-admins?
Everyone is somebody else's weirdo.
(Score: 5, Interesting) by bradley13 on Monday November 11 2019, @10:43AM
Oh, I meant to add a rant: The "malware remover" doesn't tell you what it's findings are. I went through a phase where it claimed to have found something, but it provides zero information on what it has actually found. Zip, nada, nothing. It just tells you that it found something and removed it. In my case, I am 99.99999% sure this was a false positive. But since I have no information on what it found, there's no way to be sure. If it wasn't a false positive, that same missing information would be the clue to figure out what the malware was, as well as when and how it made its way onto the NAS.
Providing absolutely no information is just unbelievably dumb.
Everyone is somebody else's weirdo.
(Score: 4, Interesting) by PartTimeZombie on Monday November 11 2019, @07:19PM (2 children)
The Qnap device I own has two NICs and can be used as the firewall, router, IPS/IDS DNS etc for the LAN.
I choose to not use mine in that fashion however, as I don't really trust it. Mine is used as network disc space to back up to and it does that job fine, but not exposed to the Internet.
To be fair, Qnap still offer updates for it, even though it must be 10 years old now.
(Score: 4, Interesting) by bradley13 on Monday November 11 2019, @08:27PM (1 child)
Our Qnap is also quite old, and I am pleasantly surprised that regular updates are available, sometime including significant new features.
They do deserve a lot of credit for not abandoning older equipment, as so many other manufacturers seem to do. A company with a long-term perspective? Works for me: my next NAS will also be a Qnap.
Everyone is somebody else's weirdo.
(Score: 3, Interesting) by PartTimeZombie on Monday November 11 2019, @09:02PM
I agree. It is a pleasant surprise.
Considering how old my device is, and how much it cost (free!) it has been pretty good value for money.
When one of the junior Zombies moves out of home with his girlfriend I might give it to him so that we can do offsite backups to each other's storage over a VPN.
(Score: 0) by Anonymous Coward on Monday November 11 2019, @12:36PM
«Update QTS to the latest version.»
Uh... Last time I did this, the NAS crashed and I had to connect video and keyboard and manually (CLI) correct the mess.
I'm a "little" reluctant...
CYA