QNAP NAS and QSnatch – What You Need to Know

QNAP NAS and QSnatch

It has been reported in the last 24hours by numerous sources that around 7,000+ of the devices were infected on Thursday in numerous locations in Germany. The alert came from the CERT-Bund, Germany’s computer emergency response operation for incursions like this. Infected devices are running vulnerable outdated firmware, according to CERT-Bund. The attackers are remotely connected to affected QNAP devices using port forwarding actioned by the infection. CERT-Bund refers to a report from the National Cyber Security Centre of Finland, (NCSC-FI) posted the previous month. It is highlighted that NCSC-FI discovered the QSnatch malware in October after noticing an unusually high number of devices were attempting to communicate with specific command and control servers within their area. The malware was discovered through the Auto-reporter service, which sends automatic reports to network admins about security incidents detected in their networks for incidents such as this. Though this issue has been identified in an isolated area, this does not automatically mean that other regions and areas cannot be affected, so if you are concerned, please follow the steps at the bottom of this article to increase your system protection.

How Does QSnatch Effect your QNAP NAS?

NSCS-FI was uncertain how QNAP devices were initially infected, however, it found as devices became, malicious code was injected into the device’s firmware, giving the attacker a good foothold to compromise the device. The malware then uses domain generation algorithms to retrieve more malware from the attacker’s servers that is executed inside the OS with system rights.  At this point, the device’s security tools are disabled and the machine is ransacked for credentials. For example, the QNAP MalwareRemover App is prevented from running and firmware updates are prevented, while the device’s usernames and passwords are sent to the attacker’s server. So users are being recommended to check that the malware protection applications taht are included with your QNAP NAS are running and your firmware is upto the latest version (QTS 4.4.1) at this time.

How Does QSnatch enter the QNAP NAS?

Additionally, the malware is modular (applied gradually) and hinges on allowing the attackers to remotely change and adapt the settings on an infected machine. The good news is that the malware can be removed, but this is a gradual process and below we have detailed the QNAP recommendations. QNAP’s advisory for a security flaw in its Linux-based QTS OS that it disclosed in February. QNAP noted it had received reports of malware that “prevents affected QNAP NAS devices from detecting updates for QTS, installing Malware Remover, and updating other applications.” The patch was designed to allow QTS to remove the malware.  Of course, for the super, duper worried, you can always perform a full system reset, however this would be an extreme measure and heavily relies on a full off-system backup be in place. If this course of action is possible in your storage environment though, the NCSC-FI urges users to take several additional steps, such as the usual changing all passwords for all accounts on the device, checking for and removing unknown user accounts, getting the latest firmware updates, removing unknown apps and as a last precautionary measure, perhaps changing the static IP of your system in efforts to bounce activity. Regardless, it is highlight recommended (if you haven’t already) to install the QNAP MalwareRemover application from the App Center and then ramp up those security settings.

QNAP NAS Recommendation for Dealing with QSnatch

  • Release date: November 1, 2019
  • Security ID: NAS-201911-01
  • Severity: High
  • CVE identifier: N/A
  • Affected products: QNAP NAS devices

Summary

The QSnatch malware is reportedly being used to target QNAP NAS devices. The National Cyber Security Center Finland (NCSC-FI) has received reports via the Autoreporter service in mid-October about infected devices attempting to communicate with specific command-and-control (C2) servers.

No other vulnerabilities have been found in the current investigation on the malware. QNAP is currently working on a new update for Malware Remover and will release the update as soon as possible. Please wait for further announcements.

If you have any questions regarding this issue, contact us through the QNAP Helpdesk.

Recommendation

To avoid attacks, we strongly recommend following the steps below:

  1. Update QTS to the latest version.
  2. Install and update Security Counselor to the latest version.
  3. Use a stronger admin password.
  4. Enable IP and account access protection to prevent brute force attacks.
  5. Disable SSH and Telnet connections if you are not using these services.
  6. Avoid using default port numbers 443 and 8080.

Installing the QTS Update

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QTS downloads and installs the latest available update.

Installing and running the latest version of Security Counselor

  1. Log on to QTS as administrator.
  2. Open the App Center, and then click the Search icon.
    A search box appears.
  3. Type “Security Counselor”, and then press ENTER.
    The Security Counselor application appears in the search results list.
  4. Click Install or Update.
    A confirmation message appears.
  5. Click OK.
    The application is installed or updated to the latest version.
  6. Open Security Counselor.
  7. Click Start Scan.
    Security Counselor scans the NAS for rules.

Changing the Device Password

  1. Log on to QTS as administrator.
  2. Click the profile picture on the QTS Task Bar.
    The Options window opens.
  3. Click Change Password.
  4. Specify the old password.
  5. Specify the new password.
    QNAP recommends the following criteria to improve password strength:

    • Should be at least 8 characters in length
    • Should include both uppercase and lowercase characters
    • Should include at least one number and one special character
    • Must not be the same as the username or the username reversed
    • Must not include characters that are consecutively repeated three or more times
  6. Verify the new password.
  7. Click Apply.

Enabling IP and Account Access Protection

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System Security.
  3. Select IP Access Protection.
  4. Enable SSH and HTTP(s) access protection.
    • Select SSH and HTTP(S).
    • Specify time periods and the number of failed login attempts.
  5. Select Account Access Protection.
  6. Enable SSH and HTTP(s) access protection.
    • Select SSH and HTTP(S).
    • Specify time periods and the number of failed login attempts.
  7. Click Apply.

Disabling SSH and Telnet Connections

  1. Log on to QTS as administrator.
  2. Go to Control Panel > Network & File Services > Telnet/SSH.
  3. Deselect Allow Telnet connection.
  4. Deselect Allow SSH connection.
  5. Click Apply.

Changing the System Port Number

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System > General Settings > System Administration.
  3. Specify a new system port number.
    Warning: Do not use 443 or 8080.
  4. Click Apply.