The National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have warned users of QNAP NAS devices to update their devices with the latest security fixes to prevent hackers from using the QSnatch malware to compromise their networks.
The use of Network Attached Storage (NAS) devices is widespread and as such, it is not surprising that cyber criminals have created specialised malware to compromise NAS devices attached to enterprise networks all over the world. According to ResearchAndMarkets.com, the global NAS market was valued at USD 21.1 billion in 2019 and is projected to reach USD 48 billion by 2025; growing at a CAGR of 15.7% from 2020 to 2025.
One such malware is the QSnatch malware which cyber criminals have been using since 2014 to target NAS devices manufactured by QNAP. Headquartered in Taiwan, QNAP is a leading provider of IT infrastructure applications for advanced computing, networking, and data storage. Recently, the company collaborated with Microsoft to integrate Microsoft Office for the web with the QNAP NAS operating system.
According to an advisory issued by the NCSC and the CISA, the QSnatch malware was first used between 2014 and mid-2017 to target QNAP NAS devices and then again between late 2018 and late 2019- with the two campaigns distinguished only by the initial payload used and malware capabilities.
QSnatch prevents infected NAS devices from receiving security updates
The second campaign, which the two agencies believe has now ended, infected a large number of QNAP NAS devices in the United States and Europe- so much so that by mid-June, there were as many as 62,000 infected devices worldwide, out of which 3,900 were in the UK and 7,600 were in the U.S.
As per the advisory, QSnatch is injected into a targeted NAS device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it. The attacker then uses a domain generation algorithm (DGA) to establish a command and control (C2) channel that periodically generates multiple domain names for use in C2 communications using an HTTP GET request.
QSnatch features a number of capabilities such as logging passwords by installing a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page; executing arbitrary code on an infected device; scraping credentials; stealing log files and sending it to the C2 server over HTTPS.
"The malware appears to gain persistence by preventing updates from installing on the infected QNAP NAS device. The attacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed.
"This makes it extremely important for organisations to ensure their devices have not been previously compromised. Organisations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable.
In response to the second wave of QSnatch malware attacks, QNAP revealed new firmware security updates in November last year that included new features such as Malware Remover and Security Counselor. These two features are supported by QTS 4.2 and later and QTS 4.3.5 and later respectively, indicating that organisations must immediately replace QNAP NAS devices that run OS versions older than QTS 4.2 to continue to enjoy security support.
QNAP NAS devices are also vulnerable to the eCh0raix ransomware family
Despite its advanced capabilities, QSnatch isn't the only malware that is used by cyber criminals to target NAS devices. In July 2019, security firm Trend Micro uncovered a new ransomware family named eCh0raix that specifically targeted QNAP NAS devices.
eCh0raix has been specially designed to terminate itself if it determines an affected NAS device's location as Belarus, Ukraine, and Russia, indicating that its creators may hail from any of these countries. After infecting NAS devices, the malware is capable of encrypting documents and text files, PDFs, archives and databases, and multimedia files among others.
After gaining access to enterprise networks vis infected NAS devices and encrypting stored files, hackers using the eCh0raix ransomware demand a ransom of 0.05 – 0.06 bitcoin paid via a site hosted in Tor, in exchange for the decryption key. QNAP NAS devices affected by the eCh0raix ransomware include QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B.
According to Trend Micro, cyber criminals are using the eCh0raix ransomware to great effect against thousands of QNAP NAS devices that aren’t usually safeguarded with anti-malware solutions and feature weak credentials or vulnerabilities. Researchers have observed thousands of web-facing NAS devices that are publicly accessible which further enhances their vulnerability to cyber criminals.