Hackers have infected thousands of network-attached storage (NAS) devices from Taiwanese vendor QNAP with a new strain of malware named QSnatch.
Over 7,000 infections have been reported in Germany alone, the German Computer Emergency Response Team (CERT-Bund) said today. Thousands more are believed to be infected worldwide, in what appears to be an ongoing outbreak.
Information on how QSnatch works is still scant, at the time of writing. The only report comes from the National Cyber Security Centre of Finland (NCSC-FI), the first cybersecurity organization to spot the malware last week.
NCSC-FI members have not yet discovered how this new threat spreads and infects QNAP NAS systems; however, once it gains access to a device, QSnatch burrows into the firmware to gain reboot persistence.
An analysis of the malware’s code revealed the following capabilities:
- Modify OS timed jobs and scripts (cronjob, init scripts)
- Prevent future firmware updates by overwriting update source URLs
- Prevents the native QNAP MalwareRemover App from running
- Extracts and steals usernames and passwords for all NAS users
These features describe the malware’s capabilities but don’t reveal its end-goal. It is unclear if QSnatch was developed to carry out DDoS attacks, to perform hidden cryptocurrency mining, or just as a way to backdoor QNAP devices to sensitive steal files or host malware payloads for future operations.
One theory is that the QSnatch operators are currently in the phase where they’re building their botnet, and will deploy other modules in the future. NCSC-FI analysts confirmed that QSnatch has the ability to connect to a remote command-and-control, download, and then run other modules.
Dealing with an infection
For the time being, the only confirmed method of removing QSnatch has been performing a full factory reset of the NAS device.
Some users reported that installing a February 2019 QNAP NAS firmware update also fixes the issue; however, neither NCSC-FI, nor the vendor, have confirmed that this removes QSnatch or prevents future reinfections.
For the time being, QNAP NAS owners are advised to disconnect their devices from the internet.
Other advice shared by NCSC-FI analysts on dealing with the aftermath of a QSnatch infection include:
- Change all passwords for all accounts on the device
- Remove unknown user accounts from the device
- Make sure the device firmware is up-to-date and all of the applications are also updated
- Remove unknown or unused applications from the device
- Install QNAP MalwareRemover application via the App Center functionality
- Set an access control list for the device (Control panel -> Security -> Security level)
QSnatch is the fourth malware strain spotted this year that has targeted NAS devices, following in the footsteps of a ransomware strain that impacted Synology devices, and the eCh0raix and Muhstik ransomware strains that impacted QNAP devices.