According to a joint report from the United States’ CISA and the United Kingdom’s NCSC, 62,000 QNAP NAS devices have been infected with malware. QSnatch, a strain of malware, has been infecting network attached storage devices from Taiwanese device manufacturer QNAP. The number of infections grew from 7000 in October 2019 to more than 62,000 infections by June 2020 . In May 2020, the Fidelis Threat Research Team (TRT) assessed that QNAP devices would be under increased risk due to a set of critical vulnerabilities released in May. The TRT listed 3 CVEs, as well as known threats that have previously been reported as involved in targeting QNAP devices, including QSnatch and eCh0raix malware groups since 2018 and 2019.
A chart from the Fidelis TRT’s May 2020 Threat Intelligence report listing Emerging Vulnerabilities to look out for including QSnatch, eCh0raix and Muhstik Bot.
QNAP is a highly popular network-attached storage (NAS) brand. A key attribute of NAS devices is the inherent need to remain connected to the internet or to a network to function, which means there is no workaround other than patching. A Research Analyst on the Fidelis TRT found a report of details for a set of vulnerabilities patched in November 2019 that resurfaced in mid-May 2020. Approximately 312,000 QNAP NAS devices were vulnerable to a chain of exploits, resulting in pre-authenticated remote code execution which allowed the attacker root access to the device. The three vulnerabilities consisted of a local file disclosure/login bypass vulnerability, PHP code upload session tampering and unauthenticated write ability to an arbitrary location. The Fidelis TRT recommends that the best protection against an attack is to patch and update the QNAP software.
QNAP has been targeted in past by attackers leveraging vulnerabilities in QNAP software to deliver malware to victim networks. QSnatch, Muhstik, and eCh0raix are a handful of known malware and ransomware strains known to be used in campaigns targeting QNAP NAS devices. The criticality of these vulnerabilities coupled with the ubiquity of QNAP devices is the primary reason the TRT is prioritizing and identifying these as key vulnerabilities.
In June 2020, 54% of cyberattacks were targeted towards companies in the healthcare, technology and manufacturing industries. Given the current global political and economic events, ransomware and malware attacks continue to pose a high risk for organizations. Employees of all business industries must remain vigilant against common adversary techniques, especially phishing and email compromise attempts. The Fidelis TRT found that the Lazarus Group, a nation-state backed APT adversary, was leveraging employment-themed phishing lures.
Whether or not you are a current Fidelis user, the Fidelis Threat Intelligence Reports aim to inform you of advanced threats and attacks that our Threat Research Team has seen throughout the months. The Fidelis TRT monitors and collects information on external threats which may pose a risk to any organization. The TRT’s qualitative approach to assessing potential risks from known threats proves valuable to any entity, and it is highly recommended that these reports be read in order to remain vigilant against all adversaries.
July 2020 CISA/UK NCSC Report: