28 July 2020

QSnatch operators stole data from over 62,000 QNAP network storages


QSnatch operators stole data from over 62,000 QNAP network storages

US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) issued a joint warning of an ongoing malware campaign targeting Taiwanese company QNAP's network-attached storage (NAS) appliances.

The QSnatch (or Derek) malware is used to steal data and has so far compromised about 62,000 devices. Most victims of the malware threat are located in Western Europe and North America.

“All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates”, — agencies said in the alert.

The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities.

The latest version of QSnatch has a wide range of features including:

  • CGI password logger: installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page;

  • Credential scraper;

  • SSH backdoor: allows to execute arbitrary code on a device;

  • Exfiltration: QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS;

  • Webshell functionality for remote access.

Back to the list

Latest Posts

Healthcare provider UHS hit by a ransomware attack

Healthcare provider UHS hit by a ransomware attack

The cause of the incident is believed to be the Ryuk ransomware.
29 September 2020
Apple fixed four dangerous vulnerabilities in macOS

Apple fixed four dangerous vulnerabilities in macOS

Exploitation of some of the problems allows arbitrary code execution on the system.
28 September 2020
200,000 Businesses are exposed to MitM attacks

200,000 Businesses are exposed to MitM attacks

A successful attack could allow an attacker to present a valid SSL certificate and fraudulently take over a connection.
25 September 2020