[WARNING] CISA Alert (AA20-209A) Potential Legacy Risk from Malware Targeting QNAP NAS Devices

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
gnvdude
New here
Posts: 8
Joined: Sat May 31, 2014 8:01 am

[WARNING] CISA Alert (AA20-209A) Potential Legacy Risk from Malware Targeting QNAP NAS Devices

Post by gnvdude » Mon Jul 27, 2020 11:37 pm

Summary
This is a joint alert from the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).

CISA and NCSC are investigating a strain of malware known as QSnatch, which attackers used in late 2019 to target Network Attached Storage (NAS) devices manufactured by the firm QNAP.

All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. The malware, documented in open-source reports, has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.

This alert summarizes the findings of CISA and NCSC analysis and provides mitigation advice.

https://us-cert.cisa.gov/ncas/alerts/aa20-209a

https://www.ncsc.gov.uk/news/legacy-ris ... as-devices
Last edited by Toxic17 on Wed Jul 29, 2020 12:49 am, edited 3 times in total.
Reason: Updated Thread Title, added NCSC link, made Sticky, Moved thread to Users Corner

User avatar
dolbyman
Guru
Posts: 22682
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: CISA Alert (AA20-209A) Potential Legacy Risk from Malware Targeting QNAP NAS Devices

Post by dolbyman » Mon Jul 27, 2020 11:45 pm

another reminder not to expose your NAS .. Qsnatch has been around for a year now
Last edited by Toxic17 on Wed Jul 29, 2020 12:49 am, edited 1 time in total.

User avatar
Toxic17
Ask me anything
Posts: 5658
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [WARNING] CISA Alert (AA20-209A) Potential Legacy Risk from Malware Targeting QNAP NAS Devices

Post by Toxic17 » Wed Jul 29, 2020 12:50 am

Updated Thread Title, added NCSC link, made Sticky, Moved thread to Users Corner
Regards Simon

QTS 4.x User Guidex

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.5.3.1652 • TVS-463-16GB 4.5.3.1652 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.1624 • APC Back-UPS ES 700G
Network: VM Hub3 • UniFi UDM Pro 1.10-0.9 • Controller: 6.2.23 • UniFi US-16-150W/US-8-60W 5.60.3 • USW Mini Flex 1.8.4 • UniFi G3-Flex • AP: AC Pro 5.60.3 • U6-LR 5.60.3

User avatar
jaysona
Been there, done that
Posts: 656
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [WARNING] CISA Alert (AA20-209A) Potential Legacy Risk from Malware Targeting QNAP NAS Devices

Post by jaysona » Mon Sep 07, 2020 2:32 am

It appears that a new campaign is getting ready to ramp up.

One of my sacrificial NAS' has been getting some probes and login attempts on various ports. I rotate the https QTS login port from 443, 2443, 6443, 8443, 9090, 9898 & 9999, and over the past four days, the NAS has had failed login attempts. The failed attempts are usually one to three attempts, I presume so as to not trigger any lockouts, and the IP addresses are from well know TOR exit-node providers such as M247 and F3 Netze eV.

I suspect that the bots are scanning IP addresses and ports, looking at the responses, then saving the type of system, then a one or two time check is done, then the system is saved for the wider campaign once it launches.

So, I'd expect a new QTS attack campaign to start-up something within the next few weeks to a couple of months out.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

User avatar
dolbyman
Guru
Posts: 22682
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [WARNING] CISA Alert (AA20-209A) Potential Legacy Risk from Malware Targeting QNAP NAS Devices

Post by dolbyman » Mon Sep 07, 2020 2:37 am

fingerprinting devices ...then selling that info out to the folks who want to do the dirty work (infecting and ransom collection)

User avatar
jaysona
Been there, done that
Posts: 656
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [WARNING] CISA Alert (AA20-209A) Potential Legacy Risk from Malware Targeting QNAP NAS Devices

Post by jaysona » Mon Sep 07, 2020 3:09 am

Yes, this round of fingerprinting appears to be far more intelligent than previous fingerprinting that went on last year.

I can only wonder what new exploits have been found, what the attack vectors are and how large the attack surface is......

Two days ago, I changed the QTS port forward four times in 10 hours, and during that 10 hour period, QTS what probed and a login attempt was made three times. So the speed at which reconnaissance is being done appears to be pretty quick.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

User avatar
jaysona
Been there, done that
Posts: 656
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [WARNING] CISA Alert (AA20-209A) Potential Legacy Risk from Malware Targeting QNAP NAS Devices

Post by jaysona » Tue Sep 08, 2020 3:58 am

So, it definitely seems like a new campaign is beginning, I had 14 new access attempts on the sacrificial NAS today, mostly from known TOR exit-node and VPN netblocks, however a few were from China and Russia as well, so it looks like the botnet is starting to come alive.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

Post Reply

Return to “Users' Corner”