This is a joint alert from the United Kingdom’s National Cyber Security Centre (NCSC) and the Cybersecurity and Infrastructure Security Agency (CISA) in the United States. The NCSC and CISA are investigating a strain of malware called QSnatch (also known as ‘Derek’), which attackers used in late 2019 to target Network Attached Storage (NAS) devices manufactured by the firm QNAP.

All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. The malware has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe.

Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates. This alert can be downloaded and summarises the findings of NCSC, CISA and industry partner analysis whilst also providing mitigation advice. Please note we have added some additional mitigation advice making this alert V1.1 (10/08/20).”

QNAP NAS Devices Targeted by QSnatch Malware for Six Years and Counting
by Silviu Stahie  /

“Network Attached Storage (NAS) devices built by QNAP are vulnerable to a malware named QSnatch, according to an advisory issued by United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).

QNAP builds NAS devices that can be used as a local cloud backup for computers and phones, as well as many other applications. It uses a custom-built Linux OS, which makes the infection all the more impressive. It’s still unclear how the malware is spreading, who the operators are, and what their goals are.

QSnatch is a fairly sophisticated malware designed to steal credentials via a CGI password logger, to scrape credentials, to provide attackers with a SSH backdoor, to exfiltrate data, including system configurations and log files, and to offer web shell functionality for remote access.  Once the malware is installed, it gains persistence by changing the host file, redirecting the core domain names used by the NAS to out-of-date local versions so updates can never retrieved.

“The infection vector has not been identified, but QSnatch appears to be injected into the device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it,” states the advisory. “The attacker then uses a domain generation algorithm (DGA)—to establish a command and control (C2) channel that periodically generates multiple domain names for use in C2 communications.”

Because the malware is persistent, administrators can’t install firmware updates. This means that a full factory reset is required before upgrading the firmware. Also, all the latest updates have to be installed. The company also advises clients to update Malware Remover to the latest version, update the Security Counselor to the latest version, change all the credentials, remove suspicious or unknown accounts, and disable all network functionality’s not used, such SSH or Telnet. By the middle of last month, a total of 62,000 QNAP devices were infected; approximately 7,600 were in the United States, and 3,900 in the United Kingdom. The first infections started in 2014 and QSnatch is active to this day.”

CISA says 62,000 QNAP NAS devices have been infected with the QSnatch malware
by Catalin Cimpanu / July 27, 2020

“Cyber-security agencies from the UK and the US have published today a joint security alert about QSnatch, a strain of malware that has been infecting network-attached storage (NAS) devices from Taiwanese device maker QNAP. In alerts [12] by the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC), the two agencies say that attacks with the QSnatch malware have been traced back to 2014, but attacks intensified over the last year when the number of reported infections grew from 7,000 devices in October 2019 to more than 62,000 in mid-June 2020.

Of these, CISA and the NSCS say that approximately 7,600 of the infected devices are located in the US, and around 3,900 in the UK. “The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019,” the two agencies say. CISA and the NCSC say that the two campaigns used different versions of the QSnatch malware (also tracked under the name of Derek). The joint alert focuses on the latest version, used in the most recent campaign.

According to the joint alert, this new QSnatch version comes with an enhanced and broad set of features that includes functionality for modules such as:

  • CGI password logger – This installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page.
  • Credential scraper
  • SSH backdoor – This allows the cyber actor to execute arbitrary code on a device.
  • Exfiltration – When run, QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS.
  • Webshell functionality for remote access

However, while CISA and the NCSC experts managed to analyze the current version of the QSnatch malware, they say that one mystery has still eluded them — namely how the malware initially infects devices.

Attackers could be exploiting vulnerabilities in the QNAP firmware or they could be using default passwords for the admin account — however, none of this could be verified beyond a doubt. But once the attackers gain a foothold, CISA and the NCSC say the QSnatch malware is injected into the firmware, from where it takes full control of the device and then blocks future updates to the firmware to survive on the victim NAS.

The joint alert says that the QSnatch group’s server infrastructure that was used in the second series of attacks is now down, but that QSnatch infections still remain active around the internet, on infected devices. The two agencies are now urging companies and home users who use QNAP devices to follow remediation and mitigation steps listed in the Taiwanese vendor’s support page to get rid of QSnatch and prevent future infections. Failing to remove the malware equates to allowing hackers a backdoor into company networks and direct access to NAS devices, many of which are used to store backups or sensitive files.”

Laptop, USB drives stolen from Philly election-staging site
by Frank Bajak & Claudia Lauer  /  October 1, 2020

“Computer thumb drives used to program Philadelphia voting machines were stolen from a city warehouse along with the laptop of an employee from the machines’ manufacturer. The items were stolen from a warehouse in the city’s East Falls section, city election commission spokesman Nick Custodio said in a brief emailed statement, adding: “We are confident that this incident will not in any way compromise the integrity of the election.” The Philadelphia Inquirer, which first reported the theft in the majority Democratic city, said they were stolen this week.

The laptop did not hold any “sensitive election-related data” and was not used for election programming, said spokeswoman Katina Granger, of Election Systems & Software of Omaha, Nebraska, the manufacturer. She said ES&S immediately cut it off from the vendor’s network upon learning of the theft. Granger said she was not able to address specifics about the stolen USB drives, including how many were taken and what was on them. Custodio did not answer emailed questions, including whether any of the 3,750 ExpressVote XL touchscreen ballot-marking devices used by the city might have been affected.

Pennsylvania is a crucial battleground which Trump won by 44,000 votes in 2016, with Hillary Clinton winning Philadelphia by a 67% margin, or 475,000 votes. Election security expert Eddie Perez of the nonpartisan OSET Institute said Philadelphia voters’ confidence in the integrity of the election demands on transparency from officials that is so far lacking: “This is supposed to be a secured facility,” he said, “and apparently neither the county nor the election vendor adequately protected these sensitive assets. Why not?”

Granger of ES&S said the companies’ USB devices use multiple levels of encryption and are “married” to single voting machines during programming. But Perez said that it’s so far unclear how far along Philadelphia was in programming for the Nov. 3 election — and thus how much of a threat the theft might pose.

“It is very, very common that a USB stick has a wealth of information that is related not only to the configuration of the election and its ballot — and the behavior of the voting device — but also internal system data used to validate the election,” said Perez. “In principle, someone possessing the information on one of these USBs could disrupt the opening and closing of the devices in polling places. They could disrupt how ballots are displayed on the screen and they could potentially disrupt counting votes on those ballots.”

An “insider” bent on tampering with the election would only need to alter a subset of ballot-marking devices to compromise voting, Perez said. In an emailed statement, Mayor Jim Kenney said police were investigating and “enhanced security” would be added at the warehouse. “This matter should not deter Philadelphians from voting, nor from having confidence in the security of this election.” In a further incident, a WHYY public radio reporter walked right into the warehouse’s voting machine storage area unimpeded on Thursday morning.

City spokesman Mike Dunn confirmed the incident and said the mayor would shortly be adding 24/7 security at the site. “These changes will be put into place expeditiously,” he said. The system potentially impacted by the incident is not the same as mail-in voting, which President Donald Trump has repeatedly sought to discredit with unfounded claims. On Tuesday, Philadelphia began accepting mail-in, or absentee ballots, at satellite elections offices that aren’t considered official polling locations.

FBI headquarters in Washington, D.C. declined to comment on whether it was assisting in the investigation. Although the nation’s 8,800 voting jurisdictions are managed by state and local governments, they have been designated critical national infrastructure and multiple federal agencies have stepped up security assistance since the 2016 election.”