US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) issued a joint warning of an ongoing malware campaign targeting Taiwanese company QNAP's network-attached storage (NAS) appliances.
The QSnatch (or Derek) malware is used to steal data and has so far compromised about 62,000 devices. Most victims of the malware threat are located in Western Europe and North America.
“All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates”, — agencies said in the alert.
The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities.
The latest version of QSnatch has a wide range of features including:
CGI password logger: installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page;
Credential scraper;
SSH backdoor: allows to execute arbitrary code on a device;
Exfiltration: QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS;
Webshell functionality for remote access.