ACTION ALERT: QNAP NAS Malware (Patreon)

Some pretty bad malware is hitting qnap servers, so if you run one, check the alert posted by CISA on mitigations.

As stated above, once a device has been infected, attackers have been known to make it impossible for administrators to successfully run the needed firmware updates. This makes it extremely important for organizations to ensure their devices have not been previously compromised. Organizations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable.

The usual checks to ensure that the latest updates are installed still apply. To prevent reinfection, this recommendation also applies to devices previously infected with QSnatch but from which the malware has been removed.

To prevent QSnatch malware infections, CISA and NCSC strongly recommend that organizations take the recommended measures in QNAP’s November 2019 advisory.[2]

CISA and NCSC also recommend organizations consider the following mitigations:  

• Verify that you purchased QNAP devices from reputable sources.  
  • If sources are in question, run a full factory reset on the device prior to completing the firmware upgrade. For additional supply chain recommendations, see CISA’s tip on Securing Network Infrastructure Devices.
• Block external connections when the device is intended to be used strictly for internal storage.