QSnatch Infects Thousands of QNAP NAS Drives
In the last few days, there have been reports from the U.S and UK cyber intelligence and security agencies (NCSC and the CISA) to report that there has been successfully reported attacks on over 60,000 QNAP NAS devices across different regions of the world, Highlighting that it is a return of the QSnatch malware intrusion that we highlighted last year. The Qsnatch security hack infiltrates NAS drive systems by targeting hardware that has not had system firmware updates regularly updated to the latest version. This is not the first time we have heard about malware and ransomware Intruders accessing data storage devices remotely, and will likely not to be the last. Today I want to talk about QSnatch, who has been affected and how to avoid your system being penetrated by malicious Invaders.
NOTE– If you are reading this article in efforts to resolve the effects of QSnatch, I recommend you skip to the bottom where the directions to reverse the effects, avoid the issue in future and also a video from the official QNAP UK channel that explained the ways in which you can remove QSnatch from your NAS system.
NAS Drives VS Malware, Ransomware and Virus’
The subject of being infiltrated by my malicious internet attacks is not new and certainly not limited to just QNAP. For almost a decade in which we have seen NAS drive manufacturers grow and evolve their hardware /software platforms from the early days of a glorified hard drive over the internet, to them becoming entire operating systems and multi-tiered software environments in 2020. More and more businesses are switching their data from third-party clouds, arguably a larger target for enterprising hackers, towards private data storage servers. Over the years NAS storage providers have become quite the desirable target for hackers and much like any technology, especially those that are connected to the internet, NAS manufacturers such as QNAP, Synology, QSAN, Asustor and more can only logically be one step ahead of the hackers at any time. As soon as a new firmware update arrives, the hackers get to work to find exploits, which are then closed in the next firmware update and the cycle repeats again. The key throughout all of this is to maintain your firmware updates as regularly as possible, both on the system itself and the individual apps. That said, we are all human and all of us can think of times when we clicked remind me tomorrow, update later, or restart later. Consequently, many NAS drives do not carry the latest firmware as regularly as they should and this leaves a small opening in your defences that hackers are all too willing to take advantage of. This is pretty much the core of the problem and the growth of intrusive malware like Qsnatch is heavily linked to systems that do not update their firmware regularly. One only has to glance at the security patches and notices from each NAS brand to see how fast seriously they monitor this.
QNAP Security Updates & Advisory – https://www.qnap.com/en/security-advisories?ref=security_advisory_details
Synology Security Updates & Advisory – https://www.synology.com/en-uk/security/advisory
What Are The Effects of QSnatch
If the Qsnatch malware makes its way into your QNAP NAS system, it will perform several processes in the early stages of its infection (the first two are clear indications of knowing you might have been infiltrated):
1, QSnatch will block the QNAP NAS’ inbuilt update alerts and prevent the system for from installing future firmware updates (though often manual firmware updates and updating through the QFinder Pro client tool will still work to eradicate the effects.
2, QSnatch will then block the program ‘Malware Remover’ from booting and updating
3, From there, QSnatch will create a ‘back door’ means for intruders to access your NAS, ultimately creating a new login credential and account towards your NAS Drive
4, Finally, the QSnatch malware will then record all user and password credentials for users on the NAS and transmit them over the internet to the intruders remotely.
So, you can see why it would be hugely damaging for the QSnatch malware to make its way into your system. Originally this malware was identified late last year and QNAP posted several ways in which you can both reverse the effects, as well as preventing this from happening. These measures are:
- Change all passwords for all accounts on the device
- Remove unknown user accounts from the device
- Make sure the device firmware is up-to-date and all of the applications are also updated
- Remove unknown or unused applications from the device
- Install QNAP Malware Remover application via the App Center functionality
- Set an access control list for the device (Control panel -> Security -> Security level)
A full breakdown of all the things you can do to remove and/or avoid the QSnatch Malware infecting your system can be found HERE.
Should you Stop Using your QNAP NAS Now?
The Short answer? You can definitely continue using your NAS drive (as long as you implement the latest firmware, check your logs and change/amend anything that seems a bit ‘off’.
The Long answer a bit more involved. In short, every single NAS brand is going to be a target to hackers and data theft – in many ways it is one of the prices of innovation. Hearing stories of QSnatch, WannaCry or MegaLocker are always going to make you feel that your data is in the crosshairs of a nefarious intruder, but you need your data and as long as you maintain the latest security patches, your files are as safe as they can be in this modern age of data. Even switching to 3rd party cloud services (Google Drive, DropBox, AWS, OneDrive, etc) will not make you exempt, as those platforms have incredibly secure internal infrastructure BUT leave almost all matters of local client file handling and vetting to the end user – between the speed of upload/download speeds and the increasing utility of many users all sharing a ‘cloud drive’ for projects, it just takes 1 unprotected system to potentially infect all the others.
Ultimately, as unfortunate as the QSnatch infection is (and completely understandable as the situation would contain) the best way to avoid these things is to stay on top of your storage system firmware updates, make sure you have a robust off-site/off-system backup in place (RAID is NOT a Backup) and utilize snapshots where possible. The brunt of the QSnatch malware (As the name suggests) is about the theft of data, large or small). However, in most cases (especially Ransomware) when data has been taken, the system will then be blocked/encrypted from the end-user to access, with a follow-up email and a payment link to ‘help’ you get it back! So, regularly review your access logs, change things up if there is even a whiff of suspicion in your mind and stay on top of those updates and backups.