[WARNING] CISA Alert (AA20-209A) Potential Legacy Risk from Malware Targeting QNAP NAS Devices

[gnvdude]

Summary
This is a joint alert from the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).

CISA and NCSC are investigating a strain of malware known as QSnatch, which attackers used in late 2019 to target Network Attached Storage (NAS) devices manufactured by the firm QNAP.

All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. The malware, documented in open-source reports, has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.

This alert summarizes the findings of CISA and NCSC analysis and provides mitigation advice.

https://us-cert.cisa.gov/ncas/alerts/aa20-209a

https://www.ncsc.gov.uk/news/legacy-ris ... as-devices

[dolbyman]

another reminder not to expose your NAS .. Qsnatch has been around for a year now

[Toxic17]

Updated Thread Title, added NCSC link, made Sticky, Moved thread to Users Corner

[jaysona]

It appears that a new campaign is getting ready to ramp up.

One of my sacrificial NAS' has been getting some probes and login attempts on various ports. I rotate the https QTS login port from 443, 2443, 6443, 8443, 9090, 9898 & 9999, and over the past four days, the NAS has had failed login attempts. The failed attempts are usually one to three attempts, I presume so as to not trigger any lockouts, and the IP addresses are from well know TOR exit-node providers such as M247 and F3 Netze eV.

I suspect that the bots are scanning IP addresses and ports, looking at the responses, then saving the type of system, then a one or two time check is done, then the system is saved for the wider campaign once it launches.

So, I'd expect a new QTS attack campaign to start-up something within the next few weeks to a couple of months out.

[dolbyman]

fingerprinting devices ...then selling that info out to the folks who want to do the dirty work (infecting and ransom collection)

[jaysona]

Yes, this round of fingerprinting appears to be far more intelligent than previous fingerprinting that went on last year.

I can only wonder what new exploits have been found, what the attack vectors are and how large the attack surface is......

Two days ago, I changed the QTS port forward four times in 10 hours, and during that 10 hour period, QTS what probed and a login attempt was made three times. So the speed at which reconnaissance is being done appears to be pretty quick.

[jaysona]

So, it definitely seems like a new campaign is beginning, I had 14 new access attempts on the sacrificial NAS today, mostly from known TOR exit-node and VPN netblocks, however a few were from China and Russia as well, so it looks like the botnet is starting to come alive.