QSnatch, a strain of malware that is developed to target the Network-Attached Storage (NAS) devices from the Taiwan-based QNAP, has been on a slow and steady growth curve for the past several years. Recently, a new version of this malware has been observed targeting devices in the US and UK.

New Wave of QSnatch

The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) recently issued a joint security alert about a new wave of attacks by QSnatch malware.
  • More than 62,000 targeted infections have been observed in mid-June 2020, as compared to mere 7,000 infected devices in October 2019, indicating a fresh wave of attacks.
  • Of all infected devices, 7,600 of the infected devices are located in the US, and around 3,900 in the UK.
  • Attackers are probably exploiting some vulnerabilities in the QNAP firmware or using the default admin credentials to gain access to the devices, and thus take control of the devices.

A brief history of QSnatch

It was recently found that QSnatch had begun its journey of infecting QNAP devices since 2014.
  • CISA and NCSC have identified two campaigns of activity for QSnatch malware in the past several years.
  • The first campaign is suspected to be active from 2014 until mid-2017, while the second campaign lasted from 2018-end until late 2019.
  • Surprisingly, some samples of QSnatch were seen patching the infected QNAP devices for the Samba remote code execution vulnerability CVE-2017-7494.

Safety tips

Besides updating the QNAP device firmware, and QTS (smart NAS OS) to the latest version, users should block the external connections in case devices are for internal company network use only. Always change the default credentials, and use a strong admin password to avoid brute-force attacks.

Cyware Publisher