Original Post from Security Affairs
Author: Pierluigi Paganini
Security experts warn of a new piece of malware dubbed QSnatch that already infected thousands of QNAP NAS devices worldwide.
A new piece of malware dubbed QSnatch is infecting thousands of NAS devices manufactured by the Taiwanese vendor QNAP.
The name comes after the target vendor and the “snatching” activity the malware performs.
According to the German Computer Emergency Response Team (CERT-Bund), over 7,000 devices have been infected in Germany alone.
A couple of weeks ago, the experts at the National Cyber Security Centre of Finland (NCSC-FI), published a report on the QSnatch malware. The experts were alerted about the malware in October and immediately launched an investigation.
“NCSC-FI received reports via the Autoreporter service during mid October of infected devices attempting to communicate
At the time the infection vector
The sample analyzed by the expert was able to perform the following actions:
- Modify operating system timed jobs and scripts (
- Prevent device updates by overwriting update sources completely,
- Prevent the execution of the built-in QNAP
- Gather all usernames and passwords related to the device and sent them to the C2 server.
- Load new modules implementing new features from the C2 servers.
- Call-home at specific intervals.
The modular structure of the malware could allow QSnatch operators to perform a broad range of malicious activities by deploying the necessary modules.
Experts at NCSC-FI suggests to perform a full factory reset of the NAS device to clean the infected devices, another unconfirmed method is to apply an update provided by the vendor.
Once cleaned the device, experts suggest the following actions:
- Change all passwords for all accounts on the device
Remove unknown user accounts from the device
Make sure the device firmware is up-to-date and all of the applications are also updated
Remove unknown or unused applications
MalwareRemoverapplication via the App Center functionality
Set an access control list for the device (Control panel -> Security -> Security level).
In the past months, other malware targeted NAS devices, in July researchers at two security firms Intezer and Anomali discovered a new piece of ransomware targeting QNAP NAS devices. The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files.
In February, users of the QNAP NAS devices reported a
One of the first attacks against QNAP is dated back 2014, at the time security experts at
The post QSnatch malware already infected thousands of QNAP NAS devices appeared first on Security Affairs.
Go to Source
Author: Pierluigi Paganini