Posted on July 28, 2020 at 4:36 PM
QSnare malware infects 62,000 QSNAP NAS devices, CISA and NCSC reveal
According to a joint United Kingdom’s National Cyber Security Centre (NCSC), and United States Cybersecurity and Infrastructure Security Agency (CISA) security alert, about 62,000 QNAP NAS were infected with the QSnatch malware. The malware was initially spotted in late last year and has infected more than 62,000 bots from 7,000.
The two cybersecurity agencies in the US and the UK published the report today, alerting the public about the strain of malware that has infected network-attached storage (NAS) devices through GNAP, a Taiwanese device maker.
According to the alert message posted by both cybersecurity agencies, the QSnatch malware attack has been traced back to 2014. However, the attacks have increased over the last year as the number of compromised devices rose in mid-June 2020.
Malware still very active
While the infrastructure utilized by the actors has become inactive, the second series of attacks involve inserting the malware at the infection stage and setting up a command and control channel using a domain registration algorithm (DRA).
It will afford the actors the chance to communicate with the infected host and steal sensitive data.
“The two campaigns are distinguished by the initial payload used as well as some differences in capabilities,” the agencies said.
This present Qsnatch version has a wide range of features, which includes a CGI password logger that makes use of the admin login screen to get hold of passwords and steal credentials. It also accommodates an SSH backdoor and a web-shell functionality that can remotely gain access to the targeted devices.
Of the infected systems, NCSC and CISA revealed that about 3,900 of the compromised devices are from the UK while about 7,600 are from the US.
The actors used a CGI password logger, which installs a bogus version of the admin login page of the device, logging successful authentication and sending them to the authentic login page.
Another one of the SSH backdoors enables the hacker to successfully carry out arbitrary codes on the device.
It’s unclear how the malware infected the devices
When the QSnatch malware is executed, it steals a programmed list of files, including log files and system configuration. They are then encrypted using the hacker’s public login key and delivered through HTTPS to their infrastructure.
But, although NCSC and CISA security experts managed to study the present version of the QSnatch malware, they pointed out that there is a mystery that’s still eluding them. The agencies say they have no idea how the malware managed to infect the devices.
They reiterated that the actors could be using default passwords for the admin accounts or exploiting vulnerabilities in the QSNAP firmware.
But after the actors have gained control of the devices, NCSC and CISA say the actors inject the QSnatch malware into the firmware. From there, the malware takes complete control of the device and blocks any further updates on the firmware, keeping the malware operational for a long time.
NCSC and CISA advise firms to patch QNAP NAS devices
Both security agencies are in agreement that companies need to patch the QNAP NAS devices if they want to stop the attack and avoid future infiltrations on the devices. They said the infrastructure utilized in the second wave of attack now down. However, QSnatch malware will still stay active on the internet to try and infect other devices.
The agencies have now warned companies and other users of the devices at home to beef up their security to wade off future attacks. They should follow the mitigation and remediation steps provided on the support page of the Taiwanese vendor to stop Qsnatch and prevent future attacks.
Users should also make sure their devices are not previously compromised. But if they are compromised, they should run a complete factory reset on the device to get rid of the malware
According to the agencies, failure to remove the malware will give it access to a backdoor into the company’s networks, leading to future attacks. It will also provide direct access to the NAS devices, and many of them are used to store sensitive files.