TTCSIRT-328.07. 27.20: TT-CSIRT ADVISORY- POTENTIAL LEGACY RISK FROM MALWARE TARGETING QNAP NAS DEVICES

The United States Cyber security and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC); are investigating a strain of malware known as QSnatch, which attackers used in late 2019 to target Network Attached Storage (NAS) devices manufactured by the firm QNAP.  

All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes.
The malware, documented in open-source reports, has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe.

Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.

Organizations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable.

The usual checks to ensure that the latest updates are installed still apply.

To prevent reinfection, this recommendation also applies to devices previously infected with QSnatch but from which the malware has been removed.

The Trinidad and Tobago Cyber Security Incident Response Team (CSIRT) encourages users and administrators to review and apply the necessary updates.

For further review please see the following link:

https://us-cert.cisa.gov/ncas/alerts/aa20-209a

If you have any queries or comments with regards to this advisory, please feel free to contact TTCSIRT via contacts@ttcsirt.gov.tt