Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

QNAP urges users to update Malware Remover after QSnatch joint alert

The Taiwanese vendor QNAP urges its users to update the Malware Remover app following the alert on the QSnatch malware. The Taiwanese company QNAP is urging its users to update the Malware Remover app to prevent NAS devices from being infected by the QSnatch malware. This week, the United States Cybersecurity and Infrastructure Security Agency […]

eCh0raix Ransomware

The Taiwanese vendor QNAP urges its users to update the Malware Remover app following the alert on the QSnatch malware.

The Taiwanese company QNAP is urging its users to update the Malware Remover app to prevent NAS devices from being infected by the QSnatch malware.

This week, the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint advisory about a massive ongoing campaign spreading the QSnatch data-stealing malware.

“CISA and NCSC have identified two campaigns of activity for QSnatch malware. The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities. This alert focuses on the second campaign as it is the most recent threat.” reads the alert. “Analysis shows a significant number of infected devices. In mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, approximately 7,600 were in the United States and 3,900 were in the United Kingdom.”

The malicious code specifically targets QNAP NAS devices manufactured by Taiwanese company QNAP, it already infected over 62,000 QNAP NAS devices.

The QSnatch malware implements multiple functionalities, such as:  

  • CGI password logger  
    • This installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page.
  • Credential scraper
  • SSH backdoor  
    • This allows the cyber actor to execute arbitrary code on a device.
  • Exfiltration
    • When run, QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS.
  • Webshell functionality for remote access
QSnatch QNAP

QSnatch (aks Derek) is a data-stealing malware that was first details by the experts at the National Cyber Security Centre of Finland (NCSC-FI) in October 2019. The experts were alerted about the malware in October and immediately launched an investigation.

At the time, the German Computer Emergency Response Team (CERT-Bund) reported that over 7,000 devices have been infected in Germany alone.

QNAP attempted to downplay the effects of the campaign aimed at infecting its NAS devices.

“QNAP reaffirms that at this moment no malware variants are detected, and the number of affected devices shows no sign of another incident.” reads a post published by the company.

“Certain media reports claiming that the affected device count has increased from 7,000 to 62,000 since October 2019 are inaccurate due to a misinterpretation of reports from different authorities,”

The vendor recommends installing the latest version of the Malware Remover app that is available through the QTS App Center or on its website.

“Users are urged to install the latest version of the Malware Remover app from the QTS App Center or by manual downloading from the QNAP website. QNAP also recommends a series of actions for enhancing QNAP NAS security. They’re also detailed in the security advisory.” continues the advisory.

Below some of the actions recommended by the vendor:

  1. Update QTS and Malware Remover.
  2. Install and update Security Counselor.
  3. Change the admin password and use a strong one.
  4. Enable IP and account access protection to prevent brute force attacks.
  5. Disable SSH and Telnet connections if they are not necessary.
  6. Avoid using default ports (i.e. 443 and 8080).

Even though the attach chain is not clear, the joint alert reveals that some QSnatch samples will intentionally patch the infected QNAP for Samba remote code execution vulnerability CVE-2017-7494.

According to the experts, currently, the attack infrastructure behind the previous QSnatch campaign is not more active, but users have to update their NAS devices as soon as possible to prevent future attacks.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QSnatch)

[adrotate banner=”5″]

[adrotate banner=”13″]