Thousands of QNAP NAS devices infected by QSnatch credential stealing malware

Owners of QNAP NAS devices are being warned to patch systems after around 7,000 of the devices were infected on Thursday. 

The alert came from CERT-Bund, Germany’s computer emergency response team, which believes most of the infections are in Germany based on its sinkhole data. 

Infected devices are running vulnerable outdated firmware, according to CERT-Bund. The attackers are remotely connected to affected QNAP devices using port forwarding. 

CERT-Bund refers to a report from the National Cyber Security Centre of Finland, (NCSC-FI) posted in late October. 

NCSC-FI discovered the QSnatch malware in mid-October after noticing an unusually high number of devices were attempting to communicate with specific command and control servers. The malware was discovered through NCSC-FI’s Autoreporer service, which sends automatic reports to network admins about security incidents detected in their networks. 

NSCS-FI was uncertain how QNAP devices were initially infected, however it found as devices became, malicious code was injected into the device’s firmware, giving the attacker a good foothold to compromise the device. 

The malware then uses domain generation algorithms to retrieve more malware from the attacker’s servers that is executed inside the OS with system rights. The web request it uses to get the additional malicious code is "HTTP GET https://<generated-address>/qnap_firmware.xml?=t<timestamp>”. NSCS-FI says this request is a “strong indicator of compromise”. 

At this point, the device’s security tools are disabled and the machine is ransacked for credentials. For example, the QNAP MalwareRemover App is prevented from running and firmware updates are prevented, while the device’s usernames and passwords are sent to the attacker’s server. 

Additionally, the malware is modular, allowing the attackers to remotely load new features to an infected machine. Finnish researchers called it QSnatch because of the “snatching” activity it performs. 

Fortunately, the malware can be removed, but doing so could be painful, depending on the victim’s backups. There is also a firmware update available to remove the malware, but it’s not been confirmed to work. 

QNAP’s advisory for a security flaw in its Linux-based QTS OS that it disclosed in February. QNAP noted it had received reports of malware that “prevents affected QNAP NAS devices from detecting updates for QTS, installing Malware Remover, and updating other applications.” The patch was designed to allow QTS to remove the malware. 

However, QNAP also warned that if the QNAP NAS device was already infected, “updating QTS and all NAS applications may not completely remove the malware.”

“QNAP is currently working on a removal solution and will update this advisory once it is publicly available,” it said at the time. There’s no indication that capability has been made available. 

The surefire way to get ride of it is by performing a full factory reset, but this will destroy all stored data on the device. NCSC-FI also noted it was unable to confirm whether QNAP’s firmware update actually removes the malware. 

NCSC-FI urges victims to take several steps after completing a factory reset, including changing all passwords for all accounts on the device, removing unknown user accounts, getting the latest firmware updates, removing unknown or unused applications. Users should also install the QNAP MalwareRemover app from the App Center, and then set an access control list for the device.