Recently, the US and UK cybersecurity agencies have issued a joint security alert about an ongoing malware attack. The QSnatch malware is actively targeting QNAP devices and has infected thousands of them already. Users must ensure updating their devices with security fixes to avoid exploitation.
US UK Cybersec Warn Of QSnatch Malware
In a joint alert from the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) have warned of active QSnatch malware attacks.
Briefly, they presented their findings regarding a new strain of QSnatch malware. While the malware vector remains unknown, the firms believe that it attacks a vulnerable device as the malicious code runs with it.
The malware affects the device firmware whilst allowing the attacker to connect with the C&C by using a domain generation algorithm (DGA). It keeps generating different domain names to communicate with the C&C.
QSnatch exhibits numerous malicious functionalities including a CGI password logger to steal credentials, credential scraper, SSH backdoor to execute codes, and webshell for remote access. Also, it bears data exfiltration capability to steal information about predefined files including system configuration and log files.
Following a successful attack, the malware persists on the device giving permanent access to the attacker. Whereas, this persistence locks out the device admins from performing various activities, including device update. It means that even if the vendors release a fix, an infected device may never receive the patch.
Active QSnatch Campaigns
Reportedly, CISA and NCSC detected two different QSnatch malware campaigns. The first supposedly existed between early 2014 to mid-2017. Whereas, the second one began in late 2018 and remained active even in late 2019.
So, while the attack infrastructure presently appears inactive, the threat still exists. And, during the active attack phase, the malware infected thousands of devices. Specifically, the researchers could detect around 62,000 infected QNAP devices globally. Of these, 7000 exist in the US and 3900 in the UK.
To prevent such attacks on vulnerable and uninfected devices, the advisory urges the organizations to update their devices in the light of QNAP’s November 2019 fix.
Whereas, as other mitigations, the advisory reads,
Organizations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable.
The usual checks to ensure that the latest updates are installed still apply. To prevent reinfection, this recommendation also applies to devices previously infected with QSnatch but from which the malware has been removed.
Let us know your thoughts in the comments.