On Monday, the UK’s and the US’ cyber-security agencies published a joint security alert about QSnatch malware that has infected network-attached storage (NAS) devices.
The United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) say that attacks with the QSnatch malware took place in 2014, but they became more severe over the last year when the number of reported infections raised from 7,000 devices in October 2019 to over 62,000 in the middle of June 2020.
CISA and the NSCS say that roughly 7,600 of the infected devices are situated in the US, and about 3,900 in the UK.
“The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019,” the two agencies say.
The two agencies say that the two campaigns used different versions of the QSnatch malware. As per the joint alert, this new QSnatch version comes with an improved and comprehensive set of features that includes functionality for modules such as CGI password logger, credential scrapper, SSH backdoor, exfiltration, and webshell functionality for remote access.
Hackers could be exploiting flaws in the QNAP firmware or they could be using default passwords for the admin account; nevertheless, none of this could be confirmed doubtlessly.
But once the hackers manage to infiltrate, the QSnatch malware is injected into the firmware, from where it takes full control of the device and then blocks future updates to the firmware to survive on the victim NAS.
As per the joint alert, the QSnatch group’s server infrastructure that was used in the second run of attacks is now down, but that QSnatch infections still remain active around the internet, on infected devices.