View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

62,000 Devices Infected by Mystery Attackers: Threat Vector Still Unknown

Hard to remove, threat vector opaque, attackers unknown...

By CBR Staff Writer

Mystery attackers have infected 62,000 global network attached storage (NAS) devices from Taiwan’s QNAB with sophisticated malware that prevents administrators from running firmware updates. Bizarrely, years into the campaign, the precise threat vector has still not been publicly disclosed.

The QSnatch malware is capable of a wide range of actions, including stealing login credentials and system configuration data, meaning patched boxes are often rapidly re-compromised, the NCSC warned this week in a joint advisory [pdf] with the US’s CISA, which revealed the scale of the issue.

The cyber actors responsible “demonstrate an awareness of operational security” the NCSC said, adding that their “identities and objectives” are unknown. The agency said over 3,900 QNAP NAS boxes have been compromised in the UK, 7,600 in the US and an alarming 28,000-plus in Western Europe.

QSnatch: What’s Been Targeted?

The QSnatch malware affects NAS devices from QNAP.

Somewhat ironically, the company touts these as a way to help “secure your data from online threats and disk failures”.

The company says it has shipped over three million of the devices. It has declined to reveal the precise threat vector “for security reasons”.

(One user on Reddit says they secured a face-to-face meeting with the company and were told that the vector was two-fold: 1) “A vulnerability in a media library component, CVE-2017-10700. 2) “A 0day vulnerability on Music Station (August 2018) that allowed attacker to also inject commands as root.”)

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The NCSC describes the infection vector as still “unidentified”.

(It added that some of the malware samples, curiously, intentionally patch the infected QNAP for Samba remote code execution vulnerability CVE-2017-7494).

Another security professional, Egor Emeliyanov, who was among the first to identify the attack, says he notified 82 organisations around the world of infection, including Carnegie Mellon, Thomson Reuters, Florida Tech, the Government of Iceland [and] “a few German, Czech and Swiss universities I never heard of before.”

QNAP flagged the threat in November 2019 and pushed out guidance at the time, but the NCSC said too many devices remain infected. To prevent reinfection, owners need to conduct a full factory reset, as the malware has some clever ways of ensuring persistence; some owners may think they have wrongly cleaned house.

“The attacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed,” the NCSC noted, adding that it then uses a domain generation algorithm to establish a command and control (C2) channel that “periodically generates multiple domain names for use in C2 communications”. Current C2 infrastructure being tracked is dormant.

What’s the Plan?

It’s unclear what the attackers have in mind: back-dooring devices to steal files may be one simple answer. It is unclear how much data may have been stolen. It could also be used as a botnet for DDoS attacks or to deliver/host malware payloads.

QNAP urges users to:

  1. Change the admin password.
  2. Change other user passwords.
  3. Change QNAP ID password.
  4. Use a stronger database root password
  5. Remove unknown or suspicious accounts.
  6. Enable IP and account access protection to prevent brute force attacks.
  7. Disable SSH and Telnet connections if you are not using these services.
  8. Disable Web Server, SQL server or phpMyAdmin app if you are not using these applications.
  9. Remove malfunctioning, unknown, or suspicious apps
  10. Avoid using default port numbers, such as 22, 443, 80, 8080 and 8081.
  11. Disable Auto Router Configuration and Publish Services and restrict Access Control in myQNAPcloud.
  12. Subscribe to QNAP security newsletters.

It says that recent firmware updates mean the issue is resolved for those following its guidance. Users say the malware is a royal pain to remove and various Reddit threads suggest that new boxes are still getting compromised. It was not immediately clear if this was due to them inadvertantly exposing them to the internet during set-up.

See also: Microsoft Patches Critical Wormable Windows Server Bug with a CVSS of 10.0


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.