QSnatch is malware that has infected 62,000 QNAP NAS devices. It steals files, compromises credentials, and is difficult to remove. What is QSnatch? It’s a sophisticated and tenacious enemy.
What is the QSnatch QNAP Malware?
Approximately 62,000 QNAP Network Attached Storage (NAS) devices all around the world have been infected by the QSnatch malware. The malware was first detected and characterized by the National Cyber Security Centre of Finland in October 2019.
The malware was dubbed QSnatch because it snatches information from QNAP devices. It was designed specifically to exploit a vulnerability that the threat actors had identified in the QNAP systems. This vulnerability has been rectified and patches are available—but even devices that have been disinfected and patched might still be at risk.
QSnatch attacks QTS, the QNAP operating system, which is based on Linux. The infection method appears to be a vulnerability that allowed malicious code to be remotely injected into the firmware of the device. An unverified source who claims to have spoken face-to-face with QNAP staff suggests that there are two attack vectors.
- A vulnerability in a Media Library component. This allowed the threat actors to execute system commands with administrative privileges. This was designated a Common Vulnerability and Exposure number CVE-2017-10700.
- A zero-day vulnerability in the Music Station application which allowed the threat actors to inject commands with administrative privileges.
As malware commonly does, QSnatch communicates with command and control servers. QSnatch uses a blockchain algorithm to generate the domain names it expects to find the command and control servers at. Once it has connected it may:
- Receive updates.
- Receive instructions.
- Report its findings.
- Upload stolen credentials and files.
Once a QNAP device is infected, QSnatch runs with administrative privileges. It will:
- Log passwords and exfiltrate credentials by presenting a bogus login page to the user.
- Create an SSH backdoor to allow remote access for the threat actors.
- Create a webshell backdoor.
- Exfiltrate data files.
- Modify timed jobs and system scripts.
- Modifies the hosts file to prevent the QNAP from detecting available updates, by redirecting core domain names to out-of-date versions.
- Prevent the QNAP Malware Remover app from launching.
The command and control servers appear to be inactive, suggesting this recent campaign may have concluded. However, the malware will have extracted all user names and passwords from any infected devices—and those credentials can be used to access the devices in new attacks.
The situation is so severe the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre have released a joint alert notification.
I’m Infected, What Now?
QNAP has provided security recommendations and detailed instructions for preventing QSnatch infections. If you are infected, the best option is to factory reset the device, patch it up to date, and restore your data. Once you have your QNAP patched and reset, you can follow the steps they provide to keep your QNAP secure.
Passwords
- Change the administrator (root) password.
- Change all other user account passwords.
- Change the QNAP ID password. All passwords and user IDs are in the hands of the threat actors. You must not continue using old passwords.
- Make sure all passwords are unique and strong. If you don’t have one, a password policy should be drafted and enforced which sets compulsory rules for password complexity and robustness.
Accounts
- Remove unknown or suspicious accounts.
- Enable IP and account access protection to prevent brute force attacks.
Control Remote Access
- Disable SSH and Telnet connections if you are not using these services. If you are, make sure passwords are unique and strong.
- Disable the Web Server, SQL server, and phpMyAdmin applications if you are not using them.
- Avoid using default and predictable port numbers, such as 22, 443, 80, 8080, and 8081.
- Disable Auto Router Configuration and Publish Services and restrict Access Control in myQNAPcloud. The less you broadcast to the world, the harder it is for the world to get in.
Other Steps
- Remove malfunctioning, unknown, or suspicious apps.
- Subscribe to the QNAP security newsletters.
If You’re in Europe
If you are based in Europe, or if you store any personal data of European citizens on your QNAP, you need to review the data that was exposed to risk and decide whether you need to inform your local Supervisory Authority. You’ve probably breached the General Data Protection Regulations.
Remember, personally identifiable information (PII) is any single item of information that can be used with other information to identify a living person—even if that other information comes from a different source. Any isolated piece of the PII jigsaw counts as personally identifiable information. That includes an email address, a name, or a telephone number.
Is This QNAP’s Fault?
QNAP software engineers developed the devices, wrote the firmware, and modified the Linux to create the QTS operating system. QNAP builds and sells the devices so, ultimately, the responsibility must sit with them. But it’s not difficult to sympathize with QNAP.
Testing, product verification, and customer field trials are vital phases on the long haul from development to released product. But you can test for as long as you like. It is tremendously difficult to build test cases for unknown vulnerabilities into a test plan.
And with a multi-million line-of-code assemblage like an operating system, ensuring you get sufficient test-case and unit test coverage for functionality testing is problematic, to say the least. And those kinds of tests are not likely to find attack vectors. They’re designed to make sure the product does what it is meant to, not that it stands up to someone doing something creative—if not ingenious—that they shouldn’t.
All the usual testing should be supplemented by a red team assault on the device. Their findings are passed back to development. development fix the vulnerabilities, plug the gaps, then hand it back to the red team. And repeat. If such a skillset doesn’t exist in-house, out-source it.
Once it passes the red team tests, give it to product verification. But not before.