Called QSnatch (or Derek), the data-stealing malware is said to have compromised 62,000 devices since reports emerged last October, with a high degree of infection in Western Europe and North America.
“All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes,” the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) said in the alert.
“Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.”
The mode of compromise, i.e., the infection vector, still remains unclear, but CISA and NCSC said the first campaign likely began in 2014 and continued till mid-2017 before intensifying over the last few months to infect about 7,600 devices in the US and approximately 3,900 devices in the UK.
Over 7,000 NAS devices were targeted with the malware in Germany alone, according to the German Computer Emergency Response Team (CERT-Bund) as of October 2019.
Although the infrastructure used by the bad actors in both campaigns is not currently active, the second wave of attacks involves injecting the malware during the infection stage and subsequently using a domain generation algorithm (DGA) to set up a command-and-control (C2) channel for remote communication with the infected hosts and exfiltrate sensitive data.
images from Hacker News