A Global NAS Infection

As further proof that we are not only losing this cybersecurity war, we seem to be barely engaged with the pace of our adversaries. Consider the relatively new strain of malware that has infected thousands of network-attached storage (NAS) devices for the apparent purpose of establishing a botnet beachhead from which to launch future DDoS attacks or a huge global crypto-mining operation.

It may also be a back-door set-up for future hosted malware payload delivery, but whatever the purpose, it’s a world-wide outbreak and the only cure is to perform a full factory reset of the infected devices.

Firmware Updates Impossible 

The targeted devices appear to be from the Taiwanese NAS vendor QNAS and the malware is aptly named QSnatch. Once it gains access to the NAS device, it burrows into the firmware rendering it resistant to reboots. As a result, system owners can’t run the native QNAP MalwareRemover App, because it gets rejected and while it is busy extracting and stealing all user IDs and passwords, it manages to prevent all firmware updates by simply overwriting the update source URLs.

But in addition to all of that, QSnatch definitely can connect to a remote command-and-control, download, and then run whatever other modules it so chooses, according to the National Cyber Security Centre of Finland (NCSC-FI), who were the first cybersecurity organization to discover the infection.

A Laborious Fix

As with so many other “fixes”, the prevailing advice is for QNAP NAS owners to disconnect their devices from the internet, change all of the passwords and all of the accounts, remove all unknown user accounts, confirm that the firmware is up-to-date and all of the applications are also updated and to remove any unknown or unused applications from the device and install a new access control list.

Sure. No problem.

Our NAS Addiction

We embrace NAS devices because they are one of the easiest and cheapest ways to get more data storage space and access/navigate it from anywhere without the storage caps and other ongoing expenses of cloud services. But, unlike cloud services, NAS devices add another layer of complexity to the cybersecurity puzzle that someone needs to deal with. Not to say cloud computing is secure, but compared to a native NAS device cluster, it starts to resemble Fort Knox.

It is almost as if we consciously ignore the lessons of the past and plunge headlong into these technology “advances” based on the promise of efficiency, cost savings and speeds and feeds with no regard for expansion of our threat landscape, and then we are always shocked to hear that we’ve been compromised yet again.

QSnatch is not the first by the way. We saw an earlier ransomware strain that infected Synology NAS devices, and other prior ransomware strains that impacted QNAP devices as well.

While we’re in this vein, we also recently discovered  over 21 million login credentials stolen from Fortune 500 companies were posted for sale on the dark web, most already cracked and available in plaintext form.

But the truly extraordinary news here is that roughly 5 million of them were ridiculous, with the catchy “password” password appearing along with closely similar variants in the top 5. In addition, almost 25% of all the passwords found were identical or only a few minutes of computer cracking cycles similar to others from the same user. Among my favorites are “000000”, “111111” and “123456”. It’s no wonder that Healthcare is so often and so successfully attacked.

Will we never learn?

Previous Post
The 4 Elements of a Cyber War, Part Three: Education
Next Post
The 4 Elements of a Cyber War, Part Four: Technology
Menu