Evicting QSnatch...

It's been quite a long time since I've had a device on my network infected with malware... at least knowingly. These things can be hidden away in the background for a long time before they are discovered.... So, it was a bit of a shock to the system when I found out that our QNAP NAS (Network Attached Storage) had fallen prey to the QSnatch malware that is doing the rounds at the moment.

It all started last night when I was reading the news on my phone before going to bed (Yes yes... I know that it isn't a good time to be playing around with screens...). I read that the QSnatch malware that had been around for quite some time was back again (News Source) and that nearly 62,000 QNAP machines had been compromised into a botnet.

So, the last time that this had happened in a newsworthy way... I took our QNAP NAS offline and into storage as it wasn't sure at the time what the attack vector was and whether or not the firmware patches from QNAP were actually solving the problem or not. Prior to that, I had disabled all external access (SSH/Telnet/everything from outside our home network) just to be sure, so that when I ended up plugging it back into the network, it would be still secure enough.

What I didn't do was to check for QSnatch infection at that time...

More recently, I've put the QNAP server back on our network as there were things on the machine that my wife wanted to get to (videos and stuff that were streaming to Plex). So, I hooked it back up, with no external network access... just internal.

After reading the news that there was now a large botnet of compromised QNAP devices... I thought that I should just double-check to see if our machine was actually infected or not.... and it was. The Autorun.sh file was a mess of obfuscated code that was set to run on boot up... thankfully, all the external network access was still disabled (I think...). See here for information about finding traces of the existence of QSnatch on QNAP devices.

... so, it was high time to implement the rest of the security recommendations from the QNAP advisory.

Since the last time, they had released a Malware Remover for this particular piece of malware, and you can see that there were quite a few things that were flagged and needed to be removed. This was followed by a purging of user accounts (thankfully, all were known ones that were set up by me)... then a change of admin password and 2FA keys.

This was followed up by a firmware update (which would have been blocked if the malware was truly active...), and several more admin password changes just in case (the malware hijacks the login page).

Now, it appears that the machine was infected but due to some good luck... it doesn't seem to have been more serious than that. There doesn't seem to be any lateral movement across our network (although, that remains to be seen... those things are unknown unknowns...).... and it doesn't appear that the machine has been re-infected by any remaining backdoors or attack vectors.

Now, QSnatch appears to have the capability to hijack the login screen (fake login, then passing on the credentials to the "true" login to mimic the correct behaviour... this could be a vector for reinfection), installing backdoors (to stay persistent...), blocking firmware and other updates... and ex-filtrating data.

Thankfully, the data that we store on this NAS is pretty mundane... photo backups and PLEX server. So, nothing too terrible if it leaks out... but it still was a bit of a shock! It remains to be seen if there is any other effects... but for the time being, it appears that we are in the clear... but I'm on alert!

_{Upgoats by ryivhnn
Account banner by jimramones}

_{The classical music community (Subscribe at Steempeak and Peakd) at #classical-music and Discord. Follow our community accounts @classical-music and @classical-radio. Community Logo by ivan.atman}