{"id":11808,"date":"2019-11-07T19:46:02","date_gmt":"2019-11-07T18:46:02","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=11808"},"modified":"2022-06-27T09:18:03","modified_gmt":"2022-06-27T07:18:03","slug":"qsnatch-malware-infects-qnap-nas-drives","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/11\/07\/qsnatch-malware-infects-qnap-nas-drives\/","title":{"rendered":"QSnatch Malware infects QNAP NAS drives"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/11\/07\/qsnatch-malware-zielt-auf-qnap-nas-laufwerke\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]A malware called QSnatch targets network storage from the manufacturer QNAP. The manufacturer offers a firmware update to protect against this malware. <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg07.met.vgwort.de\/na\/228f1523faa6458f9cbdffb616a759c9\" width=\"1\" height=\"1\">Manufacturer QNAP had already published this <a href=\"https:\/\/www.kyberturvallisuuskeskus.fi\/en\/news\/qsnatch-malware-designed-qnap-nas-devices\" target=\"_blank\" rel=\"noopener noreferrer\">security warning<\/a> about the QSnatch malware on November 1, 2019. The National Cyber Security Center Finland (NCSC-FI) had received reports of infected devices attempting to communicate with certain Command and Control (C2) servers via the Autoreporter service in mid-October 2019. <\/p>\n<p>Then last week the Cyber Emergency Response Team (CERT) of the Finnish Transport and Communications Agency (NCSC-FI) issued a <a href=\"https:\/\/www.kyberturvallisuuskeskus.fi\/en\/news\/qsnatch-malware-designed-qnap-nas-devices\" target=\"_blank\" rel=\"noopener noreferrer\">warning about a new malware<\/a>. The malware that infects QNAP's Network Attached Storages (NAS) was discovered during an analysis and named QSnatch. An analysis of the malware revealed the following actions:<\/p>\n<ul>\n<li>Operating system timed jobs and scripts are modified (cronjob, init scripts)\n<li>Firmware updates are prevented via overwriting update sources completely\n<li>QNAP MalwareRemover App is prevented from being run\n<li>All usernames and passwords related to the device are retrieved and sent to the C2 server\n<li>The malware has modular capacity to load new features from the C2 servers for further activities\n<li>Call-home activity to the C2 servers is set to run with set intervals<\/li>\n<\/ul>\n<p>The malware modifies the firmware of infected QNAP devices to remain persistent. Firmware updates of the device are deactivated. The infection vector is still unknown. <\/p>\n<h2>Recommendations of the manufacturer<\/h2>\n<p>On the basis of previous findings, the manufacturer QNAP gives its users the following recommendations for action:<\/p>\n<ol>\n<li>Update QTS to the latest version.\n<li>Install and update Security Counselor to the latest version.\n<li>Install and update Malware Remover to the latest version.\n<li>Use a stronger admin password.\n<li>Enable IP and account access protection to prevent brute force attacks.\n<li>Disable SSH and Telnet connections if you are not using these services.\n<li>Avoid using default port numbers 443 and 8080.<\/li>\n<\/ol>\n<p>Currently it is unclear if updating the firmware will really help against the QSnatch malware. In July 2019 there was already a warning against Ransomware infection (see <a href=\"https:\/\/borncity.com\/win\/2019\/07\/26\/ransomware-addressing-qnap-synology-nas-systems\/\">Ransomware addressing QNAP-\/Synology NAS systems<\/a>). There, recommendations for action similar to those in the above list were given.&nbsp; <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"de\" dir=\"ltr\">Auf Basis von Sinkhole-Daten sind aktuell bereits ca. 7.000 NAS-Ger\u00e4te in Deutschland betroffen.<br \/>Weitere Informationen von unseren Kollegen bei <a href=\"https:\/\/twitter.com\/CERTFI?ref_src=twsrc%5Etfw\">@CERTFI<\/a>:<a href=\"https:\/\/t.co\/DgrWKoRHS0\">https:\/\/t.co\/DgrWKoRHS0<\/a><\/p>\n<p>\u2014 CERT-Bund (@certbund) <a href=\"https:\/\/twitter.com\/certbund\/status\/1189890405749460992?ref_src=twsrc%5Etfw\">October 31, 2019<\/a><\/p><\/blockquote>\n<p><span id=\"preserve67eb6b7e34f64571b18ac78c9aa7baf2\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>German CERT-Bundwrites in the above tweet that on the basis of collected data, approximately 7,000 NAS devices are already affected in Germany.&nbsp; <\/p>\n<h2>System infected? Remedial measures<\/h2>\n<p>If a QNAP system is infected by the malware, a complete reset of the device to the factory settings will help. To check whether the QNAP device is infected, you can run the latest version of the <a href=\"https:\/\/www.qnap.com\/de-de\/app_releasenotes\/list.php?app_choose=MalwareRemover\" target=\"_blank\" rel=\"noopener noreferrer\">Malware Remover<\/a> software. On infected systems, it may not be possible to install the Malware Remover. At German site heise a user has posted a <a href=\"https:\/\/www.heise.de\/forum\/heise-Security\/News-Kommentare\/Malware-QSnatch-attackiert-QNAP-Netzwerkspeicher-auch-in-Deutschland\/Check-und-Loesungsansatz-Link-inside\/posting-35532526\/show\/\" target=\"_blank\" rel=\"noopener noreferrer\">how to<\/a> on how to manually check the system for an infection posted in this comment. Further details may bef ound at <a href=\"https:\/\/www.kyberturvallisuuskeskus.fi\/en\/news\/qsnatch-malware-designed-qnap-nas-devices\" target=\"_blank\" rel=\"noopener noreferrer\">finnishCERT<\/a>, at the <a href=\"https:\/\/www.qnap.com\/de-de\/security-advisory\/nas-201911-01\" target=\"_blank\" rel=\"noopener noreferrer\">QNAP security advisory<\/a> and at <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/qnap-warns-users-to-secure-devices-against-qsnatch-malware\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bleeping Computer<\/a>.<\/p>\n<p><strong>Similar articles:<\/strong><br \/><a href=\"https:\/\/borncity.com\/win\/2019\/07\/26\/ransomware-addressing-qnap-synology-nas-systems\/\">Ransomware addressing QNAP-\/Synology NAS systems<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2017\/08\/02\/qnap-fixes-critical-nas-bug-that-may-causes-data-loss\/\">QNAP fixes critical NAS bug that may causes data loss<\/a><br \/><a href=\"https:\/\/web.archive.org\/web\/20220428195048\/https:\/\/borncity.com\/win\/2019\/01\/04\/multiple-vulnerabilities-in-synology-nas-systems\/\">Multiple Vulnerabilities in Synology NAS systems<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A malware called QSnatch targets network storage from the manufacturer QNAP. The manufacturer offers a firmware update to protect against this malware.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[448,580,1547],"tags":[701,950,69],"class_list":["post-11808","post","type-post","status-publish","format-standard","hentry","category-devices","category-security","category-software","tag-device","tag-nas","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/11808","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=11808"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/11808\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=11808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=11808"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=11808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}