This is a joint alert from the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).
CISA and NCSC are investigating a strain of malware known as QSnatch, which attackers used in late 2019 to target Network Attached Storage (NAS) devices manufactured by the firm QNAP.
All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. The malware, documented in open-source reports, has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.
This alert summarizes the findings of CISA and NCSC analysis and provides mitigation advice.
Click here for a PDF version of this report from NCSC.
For a downloadable copy of IOCs, see STIX file.
CISA and NCSC have identified two campaigns of activity for QSnatch malware. The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities. This alert focuses on the second campaign as it is the most recent threat.
It is important to note that infrastructure used by the malicious cyber actors in both campaigns is not currently active, but the threat remains to unpatched devices.
Although the identities and objectives of the malicious cyber actors using QSnatch are currently unknown, the malware is relatively sophisticated, and the cyber actors demonstrate an awareness of operational security.
Global distribution of infections
Analysis shows a significant number of infected devices. In mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, approximately 7,600 were in the United States and 3,900 were in the United Kingdom. Figure 1 below shows the location of these devices in broad geographic terms.
Figure 1: Locations of QNAP NAS devices infected by QSnatch
Delivery and exploitation
The infection vector has not been identified, but QSnatch appears to be injected into the device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it. The attacker then uses a domain generation algorithm (DGA)—to establish a command and control (C2) channel that periodically generates multiple domain names for use in C2 communications—using the following HTTP GET request:
HTTP GET https://[generated-address]/qnap_firmware.xml?=t[timestamp]
Analysis shows that QSnatch malware contains multiple functionalities, such as:
- CGI password logger
- This installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page.
- Credential scraper
- SSH backdoor
- This allows the cyber actor to execute arbitrary code on a device.
- When run, QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS.
- Webshell functionality for remote access
The malware appears to gain persistence by preventing updates from installing on the infected QNAP device. The attacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed.
The following tables provide hashes of related QSnatch samples found in open-source malware repositories. File types fall into two buckets: (1) shell scripts (see table 1) and (2) shell script compiler (SHC)-compiled executable and linking format (ELF) shell scripts (see table 2). One notable point is that some samples intentionally patch the infected QNAP for Samba remote code execution vulnerability CVE-2017-7494.
Table 1: QSnatch samples – shell scripts
|SH Samples (SHA256)|
Table 2: QSnatch samples – SHC-compiled ELF shell scripts
|SH Samples (SHA256)|
As stated above, once a device has been infected, attackers have been known to make it impossible for administrators to successfully run the needed firmware updates. This makes it extremely important for organizations to ensure their devices have not been previously compromised. Organizations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable.
Before running a full factory reset:
- Scan the device with the latest version of Malware Remover, available in QNAP App Center, to detect and remove QSnatch or other malware. After the removal of malware, update the firmware to the latest version.
The usual checks to ensure that the latest updates are installed still apply. To prevent reinfection, this recommendation also applies to devices previously infected with QSnatch but from which the malware has been removed.
To prevent QSnatch malware infections, CISA and NCSC strongly recommend that organizations take the recommended measures in QNAP’s November 2019 advisory.
CISA and NCSC also recommend organizations consider the following mitigations:
- Verify that you purchased QNAP devices from reputable sources.
- If sources are in question, run a full factory reset on the device prior to completing the firmware upgrade. For additional supply chain recommendations, see CISA’s tip on Securing Network Infrastructure Devices.
- Block external connections when the device is intended to be used strictly for internal storage.