Mystery attackers have infected 62,000 global network attached storage (NAS) devices from Taiwan’s QNAB with sophisticated malware that prevents administrators from running firmware updates. Bizarrely, years into the campaign, the precise threat vector has still not been publicly disclosed.

The QSnatch malware is capable of a wide range of actions, including stealing login credentials and system configuration data, meaning patched boxes are often rapidly re-compromised, the NCSC warned this week in a joint advisory [pdf] with the US’s CISA, which revealed the scale of the issue.

The cyber actors responsible “demonstrate an awareness of operational security” the NCSC said, adding that their “identities and objectives” are unknown. The agency said over 3,900 QNAP NAS boxes have been compromised in the UK, 7,600 in the US and an alarming 28,000-plus in Western Europe.

QSnatch: What’s Been Targeted?

The QSnatch malware affects NAS devices from QNAP.

Somewhat ironically, the company touts these as a way to help “secure your data from online threats and disk failures”.

The company says it has shipped over three million of the devices. It has declined to reveal the precise threat vector “for security reasons”.

(One user on Reddit says they secured a face-to-face meeting with the company and were told that the vector was two-fold: 1) “A vulnerability in a media library component, CVE-2017-10700. 2) “A 0day vulnerability on Music Station (August 2018) that allowed attacker to also inject commands as root.”)

The NCSC describes the infection vector as still “unidentified”.

(It added that some of the malware samples, curiously, intentionally patch the infected QNAP for Samba remote code execution vulnerability CVE-2017-7494).

Another security professional, Egor Emeliyanov, who was among the first to identify the attack, says he notified 82 organisations around the world of infection, including Carnegie Mellon, Thomson Reuters, Florida Tech, the Government of Iceland [and] “a few German, Czech and Swiss universities I never heard of before.”

QNAP flagged the threat in November 2019 and pushed out guidance at the time, but the NCSC said too many devices remain infected. To prevent reinfection, owners need to conduct a full factory reset, as the malware has some clever ways of ensuring persistence; some owners may think they have wrongly cleaned house.

“The attacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed,” the NCSC noted, adding that it then uses a domain generation algorithm to establish a command and control (C2) channel that “periodically generates multiple domain names for use in C2 communications”. Current C2 infrastructure being tracked is dormant.

What’s the Plan?

It’s unclear what the attackers have in mind: back-dooring devices to steal files may be one simple answer. It is unclear how much data may have been stolen. It could also be used as a botnet for DDoS attacks or to deliver/host malware payloads.

QNAP urges users to:

  1. Change the admin password.
  2. Change other user passwords.
  3. Change QNAP ID password.
  4. Use a stronger database root password
  5. Remove unknown or suspicious accounts.
  6. Enable IP and account access protection to prevent brute force attacks.
  7. Disable SSH and Telnet connections if you are not using these services.
  8. Disable Web Server, SQL server or phpMyAdmin app if you are not using these applications.
  9. Remove malfunctioning, unknown, or suspicious apps
  10. Avoid using default port numbers, such as 22, 443, 80, 8080 and 8081.
  11. Disable Auto Router Configuration and Publish Services and restrict Access Control in myQNAPcloud.
  12. Subscribe to QNAP security newsletters.

It says that recent firmware updates mean the issue is resolved for those following its guidance. Users say the malware is a royal pain to remove and various Reddit threads suggest that new boxes are still getting compromised. It was not immediately clear if this was due to them inadvertantly exposing them to the internet during set-up.

See also: Microsoft Patches Critical Wormable Windows Server Bug with a CVSS of 10.0