https://twitter.com/MikayesFiona/status/1328412016978128899
QSNATCH MALWARE (aka DEREK)
https://qnap.com/en/security-advisory/nas-201911-01
https://ncsc.gov.uk/news/legacy-risk-malware-targeting-qnap-nas-devices
“This is a joint alert from the United Kingdom’s National Cyber Security Centre (NCSC) and the Cybersecurity and Infrastructure Security Agency (CISA) in the United States. The NCSC and CISA are investigating a strain of malware called QSnatch (also known as ‘Derek’), which attackers used in late 2019 to target Network Attached Storage (NAS) devices manufactured by the firm QNAP.
https://twitter.com/EthicalHackerXs/status/1331731095302275072
All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. The malware has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe.
#QSnatch
I wonder HOW IN THE WORLD a piece of malware might get deposited on a target computer…
… how could that possibly happen?Let me think.
ZDnet July 27, 2020 https://t.co/fyRiFLSsDS pic.twitter.com/bOnFQ843Cr
— Glued2TheScreen (@glued2thescreen) November 24, 2020
Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates. This alert can be downloaded and summarises the findings of NCSC, CISA and industry partner analysis whilst also providing mitigation advice. Please note we have added some additional mitigation advice making this alert V1.1 (10/08/20).”
https://twitter.com/BenKTallmadge/status/1331297505137418240
CREDENTIAL SCRAPER
https://kyberturvallisuuskeskus.fi/qsnatch-malware-qnap-nas
https://bitdefender.com/qnap-devices-targeted-qsnatch-malware
QNAP NAS Devices Targeted by QSnatch Malware for Six Years and Counting
by Silviu Stahie /
“Network Attached Storage (NAS) devices built by QNAP are vulnerable to a malware named QSnatch, according to an advisory issued by United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).
QNAP builds NAS devices that can be used as a local cloud backup for computers and phones, as well as many other applications. It uses a custom-built Linux OS, which makes the infection all the more impressive. It’s still unclear how the malware is spreading, who the operators are, and what their goals are.
QSnatch is a fairly sophisticated malware designed to steal credentials via a CGI password logger, to scrape credentials, to provide attackers with a SSH backdoor, to exfiltrate data, including system configurations and log files, and to offer web shell functionality for remote access. Once the malware is installed, it gains persistence by changing the host file, redirecting the core domain names used by the NAS to out-of-date local versions so updates can never retrieved.
11/23/20 Truth Bombs with @PatrickByrne! Do not miss it!
Click Pødçåst👇🏼https://t.co/3aSf6dbbvx pic.twitter.com/vqVHqbH73T
— intheMatrixxx (@intheMatrixxx) November 23, 2020
“The infection vector has not been identified, but QSnatch appears to be injected into the device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it,” states the advisory. “The attacker then uses a domain generation algorithm (DGA)—to establish a command and control (C2) channel that periodically generates multiple domain names for use in C2 communications.”
https://www.youtube.com/watch?v=cz99yC6mv24
Because the malware is persistent, administrators can’t install firmware updates. This means that a full factory reset is required before upgrading the firmware. Also, all the latest updates have to be installed. The company also advises clients to update Malware Remover to the latest version, update the Security Counselor to the latest version, change all the credentials, remove suspicious or unknown accounts, and disable all network functionality’s not used, such SSH or Telnet. By the middle of last month, a total of 62,000 QNAP devices were infected; approximately 7,600 were in the United States, and 3,900 in the United Kingdom. The first infections started in 2014 and QSnatch is active to this day.”
PASSWORD LOGGER
https://deepcapture.com/election-2020-was-rigged-the-evidence/
https://zdnet.com/cisa-says-62000-qnap-nas-devices-have-been-infected-with-the-qsnatch-malware/
CISA says 62,000 QNAP NAS devices have been infected with the QSnatch malware
by Catalin Cimpanu / July 27, 2020
“Cyber-security agencies from the UK and the US have published today a joint security alert about QSnatch, a strain of malware that has been infecting network-attached storage (NAS) devices from Taiwanese device maker QNAP. In alerts [1, 2] by the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC), the two agencies say that attacks with the QSnatch malware have been traced back to 2014, but attacks intensified over the last year when the number of reported infections grew from 7,000 devices in October 2019 to more than 62,000 in mid-June 2020.
It is nice to close a busy week at @CERTFI (NCSC-FI) with a new malware discovery: #Qsnatch targets #QNAP #NAS devices. Here the NCSC-FI #Autoreporter service played a critical part on anomaly discovery – together with our sharp malware specialists. https://t.co/43nyfUKWu3
— Kauto Huopio (@kautoh) October 25, 2019
Of these, CISA and the NSCS say that approximately 7,600 of the infected devices are located in the US, and around 3,900 in the UK. “The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019,” the two agencies say. CISA and the NCSC say that the two campaigns used different versions of the QSnatch malware (also tracked under the name of Derek). The joint alert focuses on the latest version, used in the most recent campaign.
CISA and US EAC knew Dominion's source code was infected w/ #Qsnatch malware two years ago.
— KoronaKnievel19 (@faster34me) November 25, 2020
According to the joint alert, this new QSnatch version comes with an enhanced and broad set of features that includes functionality for modules such as:
- CGI password logger – This installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page.
- Credential scraper
- SSH backdoor – This allows the cyber actor to execute arbitrary code on a device.
- Exfiltration – When run, QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS.
- Webshell functionality for remote access
However, while CISA and the NCSC experts managed to analyze the current version of the QSnatch malware, they say that one mystery has still eluded them — namely how the malware initially infects devices.
German ISP "confused" by their all-time traffic record on election night. https://t.co/bccqMEJTzb pic.twitter.com/2rW3NPGLBV
— oriJONal (@orijonal) November 13, 2020
Attackers could be exploiting vulnerabilities in the QNAP firmware or they could be using default passwords for the admin account — however, none of this could be verified beyond a doubt. But once the attackers gain a foothold, CISA and the NCSC say the QSnatch malware is injected into the firmware, from where it takes full control of the device and then blocks future updates to the firmware to survive on the victim NAS.
https://twitter.com/Christine_Brim/status/1325036416611577857
The joint alert says that the QSnatch group’s server infrastructure that was used in the second series of attacks is now down, but that QSnatch infections still remain active around the internet, on infected devices. The two agencies are now urging companies and home users who use QNAP devices to follow remediation and mitigation steps listed in the Taiwanese vendor’s support page to get rid of QSnatch and prevent future infections. Failing to remove the malware equates to allowing hackers a backdoor into company networks and direct access to NAS devices, many of which are used to store backups or sensitive files.”
Remember the USB drives stolen in Philly? Those USB drives were admin access devices to enter the configuration and debug screens of the voting machines. With those stolen drives, someone could potentially change, purge, or inject ballots with impunity.https://t.co/Z06yrsWEwO
— Ron (@CodeMonkeyZ) November 11, 2020
EXFILTRATION
https://pbs.org/new-election-systems-use-vulnerable-software
https://apnews.com/voting-machines-custodions-philadelphia
Laptop, USB drives stolen from Philly election-staging site
by Frank Bajak & Claudia Lauer / October 1, 2020
“Computer thumb drives used to program Philadelphia voting machines were stolen from a city warehouse along with the laptop of an employee from the machines’ manufacturer. The items were stolen from a warehouse in the city’s East Falls section, city election commission spokesman Nick Custodio said in a brief emailed statement, adding: “We are confident that this incident will not in any way compromise the integrity of the election.” The Philadelphia Inquirer, which first reported the theft in the majority Democratic city, said they were stolen this week.
Why does the Dominion Voting System user manual say to not enter a password? Why are they using digital certificates without passwords? pic.twitter.com/CDygrc870p
— Ron (@CodeMonkeyZ) November 11, 2020
The laptop did not hold any “sensitive election-related data” and was not used for election programming, said spokeswoman Katina Granger, of Election Systems & Software of Omaha, Nebraska, the manufacturer. She said ES&S immediately cut it off from the vendor’s network upon learning of the theft. Granger said she was not able to address specifics about the stolen USB drives, including how many were taken and what was on them. Custodio did not answer emailed questions, including whether any of the 3,750 ExpressVote XL touchscreen ballot-marking devices used by the city might have been affected.
Check this out.
AES128 algorithm is ok if done right. Lets check if they did it right:"all participants in the process use the same encryption keys."
What?
"all participants…"
"…use the same encryption keys." pic.twitter.com/1dtDNwiVm4— Ron (@CodeMonkeyZ) November 11, 2020
Pennsylvania is a crucial battleground which Trump won by 44,000 votes in 2016, with Hillary Clinton winning Philadelphia by a 67% margin, or 475,000 votes. Election security expert Eddie Perez of the nonpartisan OSET Institute said Philadelphia voters’ confidence in the integrity of the election demands on transparency from officials that is so far lacking: “This is supposed to be a secured facility,” he said, “and apparently neither the county nor the election vendor adequately protected these sensitive assets. Why not?”
After reviewing the Dominion Voting System user manual, it seems the local IT guy who services the machines is theoretically the ultimate political gatekeeper.
He has absolute power to decide elections.— Ron (@CodeMonkeyZ) November 11, 2020
Granger of ES&S said the companies’ USB devices use multiple levels of encryption and are “married” to single voting machines during programming. But Perez said that it’s so far unclear how far along Philadelphia was in programming for the Nov. 3 election — and thus how much of a threat the theft might pose.
https://twitter.com/KanekoaTheGreat/status/1331678008210464768
“It is very, very common that a USB stick has a wealth of information that is related not only to the configuration of the election and its ballot — and the behavior of the voting device — but also internal system data used to validate the election,” said Perez. “In principle, someone possessing the information on one of these USBs could disrupt the opening and closing of the devices in polling places. They could disrupt how ballots are displayed on the screen and they could potentially disrupt counting votes on those ballots.”
27/ You might be interested in reading the article from Serbian media – it explaines the connection between #Dominion and all above-mentioned countries and individuals involved. https://t.co/I40IbrG2wO
— Богиња пролећа 🇷🇸 (@boginjaproleca) November 20, 2020
An “insider” bent on tampering with the election would only need to alter a subset of ballot-marking devices to compromise voting, Perez said. In an emailed statement, Mayor Jim Kenney said police were investigating and “enhanced security” would be added at the warehouse. “This matter should not deter Philadelphians from voting, nor from having confidence in the security of this election.” In a further incident, a WHYY public radio reporter walked right into the warehouse’s voting machine storage area unimpeded on Thursday morning.
It's nice that someone else is following my posts.
Only the evidence matters no matter how painful.
I was the first in the world to point to Dominion Software. https://t.co/FO4uHM4UeG pic.twitter.com/aJZ3ayAuqf— Александар Стефановић (@acastef53) November 20, 2020
City spokesman Mike Dunn confirmed the incident and said the mayor would shortly be adding 24/7 security at the site. “These changes will be put into place expeditiously,” he said. The system potentially impacted by the incident is not the same as mail-in voting, which President Donald Trump has repeatedly sought to discredit with unfounded claims. On Tuesday, Philadelphia began accepting mail-in, or absentee ballots, at satellite elections offices that aren’t considered official polling locations.
The director of the representative office admitted that the software was written in Belgrade, Serbia.
The key is the #DominionVotingSystem representative office in Belgrade, Serbia. Giving false testimony is a serious crime. You go to jail for that. https://t.co/gMSpbzeIzN pic.twitter.com/QOYTPEu2cJ— Александар Стефановић (@acastef53) November 20, 2020
FBI headquarters in Washington, D.C. declined to comment on whether it was assisting in the investigation. Although the nation’s 8,800 voting jurisdictions are managed by state and local governments, they have been designated critical national infrastructure and multiple federal agencies have stepped up security assistance since the 2016 election.”
PREVIOUSLY
ELECTION THEFT TUTORIAL
https://spectrevision.net/2008/10/23/election-theft-tutorial/
BACKDOOR SECURITY COUNCIL
https://spectrevision.net/2016/01/15/backdoor-security-council/
BLOCKCHAIN ELECTIONS
https://spectrevision.net/2018/03/13/blockchain-elections/
GOD MODE UNLOCKED
https://spectrevision.net/2019/06/11/god-mode-unlocked/
CRYPTO BACKDOORS
https://spectrevision.net/2020/02/20/crypto-backdoors/