Show vulnerabilities with patch / with exploit
28 July 2020

QSnatch operators stole data from over 62,000 QNAP network storages


QSnatch operators stole data from over 62,000 QNAP network storages

US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) issued a joint warning of an ongoing malware campaign targeting Taiwanese company QNAP's network-attached storage (NAS) appliances.

The QSnatch (or Derek) malware is used to steal data and has so far compromised about 62,000 devices. Most victims of the malware threat are located in Western Europe and North America.

“All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates”, — agencies said in the alert.

The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities.

The latest version of QSnatch has a wide range of features including:

  • CGI password logger: installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page;

  • Credential scraper;

  • SSH backdoor: allows to execute arbitrary code on a device;

  • Exfiltration: QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS;

  • Webshell functionality for remote access.

Back to the list

Latest Posts

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020
Hacker published passwords for over 900 corporate VPN servers

Hacker published passwords for over 900 corporate VPN servers

The list was published on a Russian-speaking hacker forum frequented by different ransomware operators.
5 August 2020
Maze operators published dozens of GBs of data from LG and Xerox

Maze operators published dozens of GBs of data from LG and Xerox

Stolen information may include Xerox support records and source code for the firmware of various LG products.
4 August 2020