This article is more than 1 year old

Data-stealing, password-harvesting, backdoor-opening QNAP NAS malware cruises along at 62,000 infections

If you're still using a vulnerable box, you ought to factory reset it before patching

Some 62,000 QNAP network-attached storage (NAS) boxes are right now infected with the data-stealing QSnatch malware, the US and UK governments warned today.

A joint statement from America's Cybersecurity and Infrastructure Security Agency (CISA) and Britain's National Cyber Security Centre (NCSC) said the software nasty, first spotted in October, has hijacked tens of thousands as of mid-June, 2020, with "a particularly high number of infections in North America and Europe." It is estimated 7,600 hijacked QNAP boxes were in America, and 3,900 in the UK.

The situation is particularly messy because Taiwan-based QNAP has not, to the best of our knowledge, disclosed exactly how the malware breaks into vulnerable boxes, advising simply that owners should ensure the latest firmware is installed to prevent future infection. Judging from conversations people have had with the manufacturer's support desk, it appears there was a remotely exploitable hole in the firmware, perhaps down to the operating system level, which was fixed in November.

CISA and NCSC are none the wiser. The latest firmware includes a malware scanner, we note.

Another headache is that the malware, once on a NAS box, may block the installation of future firmware updates, so folks are advised to factory reset their devices, wiping them clean, if they're still running a vulnerable version so that they can be successfully upgraded.

Cartoon man with hat and tie. Facial features replaced by question mark.

Cover your NASes: QNAP acknowledges mystery malware but there's no patch yet


QSnatch is so-called because it opens various backdoors, including SSH and a webshell, allowing its masterminds to potentially log in from afar. It can also exfiltrate data from the storage machines, and harvest credentials. It is definitely not something you want on your internal network. For one thing, even if you patch one of the NAS boxes, usernames and passwords stolen from the machine could be use to log back in, or access other parts of the organization, if credentials have been reused or not changed since the intrusion. The one good piece of news is that the backend systems controlling the malware are not active right now, the security agencies noted in their statement.

"Once a device has been infected, attackers have been known to make it impossible for administrators to successfully run the needed firmware updates," CISA and NCSC warned.

"This makes it extremely important for organizations to ensure their devices have not been previously compromised. Organizations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable.

"The usual checks to ensure that the latest updates are installed still apply. To prevent reinfection, this recommendation also applies to devices previously infected with QSnatch but from which the malware has been removed. To prevent QSnatch malware infections, CISA and NCSC strongly recommend that organizations take the recommended measures in QNAP’s November 2019 advisory."

What makes QSnatch particularly nasty, though, said CISA AND NCSC, is its ability to persist on all unpatched QNAP NAS models by knackering the firmware update mechanism by altering DNS settings: "The malware appears to gain persistence by preventing updates from installing on the infected QNAP device. The attacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed."

By the way, the late-2019 outbreak was actually the second time QSnatch pillaged QNAP NAS boxes. A previous strain of the malware was seen spreading in 2018 and 2019 with a different payload and, the agencies said, a more limited set of capabilities.

By contrast, the late 2019 version has proven far more virulent and dangerous for its victims. What's more, the people behind the software nasty remain at large. "Although the identities and objectives of the malicious cyber actors using QSnatch are currently unknown, the malware is relatively sophisticated," the government agencies warned, "and the cyber actors demonstrate an awareness of operational security."

A spokesperson for QNAP told The Register: "From our observations, the situation has been gradually settling down with no obvious sign of new malware variation or another outbreak." ®

Editor's note: An earlier version of this article stated there were 7,000 QNAP devices infected in October 2019. We're happy to clarify that this number was limited to Germany alone, and not a worldwide figure.

More about


Send us news

Other stories you might like