Taiwanese storage software and hardware vendor QNAP says there is no sign that infections of its products are growing, after over 60,000 of its network attached storage (NAS) devices were reported to be infected with malware by an unknown attacker.
The sophisticated “Qsnatch” malware affecting QNAP’s NAS devices has the particularly frustrating feature of preventing administrators from running firmware updates.
Over 3,900 QNAP NAS boxes have been compromised in the UK and an alarming 28,000-plus in Western Europe, the NCSC warned July 27 in a joint advisory with the US’s CISA.
QNAP has since suggested the figures have been misrepresented as a steady surge in infections from initial reports in late 2019 and says the issue is contained. (Carnegie Mellon, Thomson Reuters, Florida Tech, the Government of Iceland were among those notified of infection by security researchers early in the campaign).
“Certain media reports claiming that the affected device count has increased from 7,000 to 62,000 since October 2019 are inaccurate due to a misinterpretation of reports from different authorities”, the company said. “At this moment no malware variants are detected… the number of affected devices shows no sign of another incident.”
Qsnatch malware currently infecting at least around 53K QNAP NAS devices. Down from 100K when we originally started reporting to National CSIRTs & network owners in Oct 2019. Europe, US & multiple Asian countries most impacted. Read more on this threat at https://t.co/XQUBVjS3W2 pic.twitter.com/EyaQVhSlhM
— Shadowserver (@Shadowserver) July 30, 2020
The QSnatch malware lets attackers steal login credentials and system configuration data, meaning patched boxes are often rapidly re-compromised.
As Computer Business Review has reported, QNAP initially flagged the threat in November 2019 and pushed out guidance at the time, but the NCSC said too many devices remain infected: the initial infection vector remains deeply opaque, as do the motives of the attackers, whose publicly known C&C infrastructure is dormant.
“The attacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed,” the NCSC noted, adding that it then uses a domain generation algorithm to establish a command and control (C2) channel that “periodically generates multiple domain names for use in C2 communications”. Current C2 infrastructure being tracked is dormant.
The NCSC is understood to have been in touch with QNAP about the incident.
Non-profit watchdog ShadowServer also reported similar numbers around the same time. QNAP meanwhile said that it has updated its Malware Remover application for the QTS operating system on November 1, 2019 to detect and remove the malware from QNAP NAS and has also released an updated security advisory on November 2, 2019 to address the issue. QNAP said it been emailing “possibly affected users” to recommend an immediate update between February and June this year.