New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


QNAP NAS Needs Firmware Update

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cybersecurity Centre (NCSC) have issued an alert about the QSnatch malware that affects  QNAP NAS devices. A network-attached-storage (NAS) device is a device that is connected to a network, residential or commercial, that provides a centralized data storage location for network users. Normally, a NAS is configured to only allow connections from internal computers on a private network,  but it can be made accessible over the Internet. In some cases, companies or individuals inadvertently allow connections from the Internet to their NAS, which can lead to a compromise. QSnatch is malware that was most active between early 2014 to late 2019 and has resurged recently. There are still around 62,000 QNAP devices that are vulnerable and easily discoverable over the Internet. QSnatch has the capabilities to steal user credentials, install a web shell to provide remote access, inject malicious code retrieved from its Command and Control (C2) server, steal files and install a fake device admin login page to phish for credentials. Once a device is infected, QSnatch will block all incoming software updates to prevent any malware removers from running.

Analyst Notes

For small to medium-sized businesses, having a NAS is essential so that all the important data that needs to be accessed by multiple users is stored in a secure location. All QNAP users are recommended to first perform a factory reset on their device to verify that no malicious programs are running or installed, and then install the latest firmware upgrade from the QNAP website. If the device does not need to be accessible directly over the Internet, it is safest to keep it protected behind a firewall. If it does need to be accessible from outside the company’s location, a corporate VPN using strong Multi-Factor Authentication (MFA) and encrypted connections is the best way to enable safe access to internal network resources.

Source Article:

CISA Alert: