QSnatch is malware that has infected 62,000 QNAP NAS devices. It steals files, compromises credentials, and is difficult to remove. What is QSnatch? It\u2019s a sophisticated and tenacious enemy.<\/p>\n
Approximately 62,000 QNAP Network Attached Storage (NAS) devices all around the world have been infected by the QSnatch malware. The malware was first detected and characterized by the National Cyber Security Centre of Finland<\/a> in October 2019.<\/p>\n The malware was dubbed QSnatch because it snatches information from QNAP devices. It was designed specifically to exploit a vulnerability that the threat actors had identified in the QNAP systems. This vulnerability has been rectified and patches are available\u2014but even devices that have been disinfected and patched might still be at risk.<\/p>\n QSnatch attacks QTS, the\u00a0QNAP operating system<\/a>, which is based on Linux. The infection method appears to be a vulnerability that allowed malicious code to be remotely injected into the firmware of the device. An unverified source who claims to have spoken face-to-face with QNAP staff suggests that there are two attack vectors.<\/p>\n As malware commonly does, QSnatch communicates with\u00a0command and control servers<\/a>.\u00a0 QSnatch uses a blockchain algorithm to generate the domain names it expects to find the command and control servers at. Once it has connected it may:<\/p>\n Once a QNAP device is infected, QSnatch runs with administrative privileges. It will:<\/p>\n The command and control servers appear to be inactive, suggesting this recent campaign may have concluded. However, the malware will have extracted all user names and passwords from any infected devices—and those credentials can be used to access the devices in new attacks.<\/p>\n The situation is so severe the US\u00a0Cybersecurity and Infrastructure Security Agency<\/a>\u00a0(CISA) and the UK\u00a0National Cyber Security Centre<\/a> have released a joint alert notification.<\/p>\n QNAP has provided security recommendations and\u00a0detailed instructions<\/a> for preventing QSnatch infections. If you are infected, the best option is to factory reset the device<\/a>, patch it up to date, and restore your data. Once you have your QNAP patched and reset, you can follow the steps they provide to keep your QNAP secure.<\/p>\n\n
\n
\n
I\u2019m Infected, What Now?<\/h2>\n
Passwords<\/h3>\n
\n
Accounts<\/h3>\n
\n
Control Remote Access<\/h3>\n
\n
Other Steps<\/h3>\n
\n
If You\u2019re in Europe<\/h3>\n