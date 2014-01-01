from the snatching-your-data dept.
UK/US Governments Warn of QNAP NAS Malware:
The UK and US governments have issued another joint cybersecurity alert, this time warning organizations about a strain of malware targeting network attached storage (NAS) devices from QNAP.
As of mid-June, the QSnatch malware (aka "Derek") had infected 62,000 devices worldwide, including 3900 in the UK and 7600 in the US, according to the notice from GCHQ's National Cyber Security Center (NCSC) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).
This is the result of two campaigns, one running from 2014 to mid-2017 and the other starting in late 2018.
[...] QSnatch apparently features a credential scraper, SSH backdoor, CGI password logger, webshell functionality and the ability to exfiltrate a predetermined list of files, including system configs and log files.
It is said to achieve persistence by modifying the system host's file to redirect domain names to out-of-date versions in order to prevent updates from installing on the NAS device itself.
The NCSC/CISA urged administrators to follow the guidance issued by QNAP last November.
[...] "Organizations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable."
(Score: 0) by Anonymous Coward on Wednesday July 29, @01:12PM (1 child)
I've been considering some NAS products over the years, but I keep seeing these malware/ransomware vulnerabilities from time to time. I wonder how much of the problem stems from making the devices available over the internet or if they would be safe if you just firewalled it off. Maybe a VPN connection would be helpful if you connected to that first if you needed access from outside.
(Score: 2) by ledow on Wednesday July 29, @01:32PM
If you get a ransomware on your local network, they will trash it. Unless you have proper full snapshotting (which means you need a ton of disk space to hold a pittance of files), and know that the NAS details are not saved anywhere (e.g. they can go through saved credentials on your network computers and access them with read/write access), then they are just as at risk once the thing is inside your network.
There are a ton of ways to securely access them remotely - there's a lot of passthrough services from the NAS manufacturers, etc. that mean that nothing *should* be able to come into your network, but the problem with ransomware is far more once it gets inside, and then it makes it game over.
Have personally witnessed an internal infection (believed to be a USB stick or other unauthorised device on the network) which compromised and gained full administrative access to the entire domain with seconds, and then trashed all of the data on all connected and networked devices within 6 hours. They even work on the basis of "this file is huge, I'll just corrupt key parts of it so people can't recover 99% of the data" rather than go for the full dozens-of-terabytes encryption, etc. Note that said site did not allow anything to have remote access to the network, especially not the NASs.
NAS is fine, but it's just storage. You have to think - if it's convenient enough that you can just type in a password and drag-drop your backups onto it, something else can do that and encrypt over the top of those backups.
One double-click wrong and a ransomware could happily spend a week on your system undetected (the one above walked straight past Sophos and Windows Defender), sucking up credentials and scanning network paths, and then at a given trigger point encryption which - in seconds - can render almost all of your storage useless to the point that you're clean-room restoring from backups that you are sure were offline for the entire duration of any possible infection.
(Score: 2) by JoeMerchant on Wednesday July 29, @01:37PM
Their products seem like a good thing, but they're not.
Fatal flaw for me, discovered the hard way, was that when I installed a hard drive into their (Linux based) NAS, they needlessly formatted it in some proprietary scheme that meant: when the QNAP power supply died, my hard drive was inaccessible.