Skip to main content

QSnatch Botnet

QSnatch is a newly observed botnet targeting exposed QNAP network-attached storage (NAS) devices.

Threat ID:
CC-3282
Category:
Botnet
Threat Severity:
Low
Threat Vector:
Published:
5 November 2019 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

QSnatch is a newly observed botnet targeting exposed QNAP network-attached storage (NAS) devices.

Threat details

At the time of publication, it is unclear how QSnatch is delivered to target devices, although there are unconfirmed reports indicating an automated scanner is identifying vulnerable devices and dropping QSnatch directly.

Once delivered, QSnatch is injected directly into the affected system's firmware. It will then contact a command and control server and download an unidentified payload. Qsnatch then disables QNAP's Malware Remover application before retrieving all usernames and passwords present on the system.

Remediation steps

Type Step

QNAP has recommended the following mitigations to address the underlying vulnerabilities exploited by QSnatch:

  • Ensure QTS is fully updated.
  • Ensure QNAP Security Counselor is installed and fully updated.
  • Ensure QNAP Malware Remover is installed and fully updated.
  • Ensure affected devices are not using weak or default credentials.
  • Enable IP and Account Access Protection.
  • Disable SSH and Telnet services if they are not used.
  • Avoid using default ports (typically TCP 443 and 8080) if possible.

Further advice and guidance on applying these mitigations can be found in QNAP security advisory NAS-201911-01.

Last edited: 14 February 2020 2:56 pm