62,000 QNAP NAS devices infected with persistent QSnatch malware

There are approximately 62,000 malware-infested QNAP NAS (Network Attached Storage) devices located across the globe spilling all the secrets they contain to unknown cyber actors, the US CISA and the UK NCSC have warned.

QNAP NAS malware

Dubbed QSnatch, the sophisticated malware targets QTS, the Linux-based OS powering QNAP’s NAS devices, and is able to log passwords, scrape credentials, set up an SSH backdoor and a webshell, exfiltrate files and, most importantly, assure its persistence by preventing users from installing updates that may remove it and by preventing the QNAP Malware Remover app from running.

QSnatch and its reach

Various versions of the malware have been around for many years now. The two agencies have identified two campaigns aimed at spreading it, the last one dating back to late 2019.

Interestingly enough, they still don’t know how the malware is delivered, but it “appears to be injected into the device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it.” It’s likely that the attackers were exploiting a remotely exploitable vulnerability in the firmware, which has since been patched.

“QSnatch collects confidential information from infected devices, such as login credentials and system configuration. Due to these data breach concerns, QNAP devices that had been infected may still be vulnerable to reinfection after removing the malware,” QNAP explained after delivering security updates in November 2019.

In mid-June, the number of infected devices worldwide was 62,000, with approximately 7,600 in the US and 3,900 in the UK.

QNAP NAS malware

What to do if your QNAP NAS has been infected?

The agencies say that the infrastructure used by the malicious cyber actors in both campaigns is not currently active, but unpatched devices are likely to be compromised.

“The malware appears to gain persistence by preventing updates from installing on the infected QNAP device. The attacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed,” they noted.

Since it hasn’t been confirmed that a successful update removes the malware, the general advice is to run a full factory reset on the device before completing the firmware upgrade, then check whether the updates have been applied. This will “destroy” the malware, but also all the data stored on the device.

QNAP has provided additional security recommandations and detailed instructions for preventing QSnatch infections.

The agencies additionally advise organizations to block external connections when the device is intended to be used strictly for internal storage.

Zyxel NAS, firewalls and LILIN DVRs and IP cameras conscripted into IoT botnets

A wide variety of Zyxel and LILIN IoT devices are being conscripted into several botnets, researchers have warned.

Users are advised to implement the provided firmware updates to plug the security holes exploited by the botmasters or, if they can’t, to stop using the devices altogether or to put them behind network firewalls.


Zyxel devices affected

According to Palo Alto Networks’ Unit 42, botmasters using a new Mirai strain dubbed Mukashi are exploiting CVE-2020-9054, a pre-authentication command injection flaw, to compromise and “zombify” network-attached storage devices, firewalls, business VPN firewalls and unified security gateways.

CVE-2020-9054 is considered to be a critical vulnerability as it can be exploited by a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.

The vulnerability was fixed in late February and Zyxel has provided firmware updates for the following affected devices that are still supported:

  • Network-attached storage devices (NAS326, NAS520, NAS540, NAS542)
  • Firewalls, business VPN firewalls and unified security gateways (ATP100, ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, ZyWALL1100)

“Owners of NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 as well as some other ZyXEL devices may not be able to install firmware updates, as these devices are no longer supported,” CERT/CC warned.

“Be cautious when updating firmware on affected devices, as the ZyXEL firmware upgrade process both uses an insecure channel (FTP) for retrieving updates, and the firmware files are only verified by checksum rather than cryptographic signature. For these reasons, any attacker that has control of DNS or IP routing may be able to cause a malicious firmware to be installed on a ZyXEL device.”

Workarounds available for those who can’t update the firmware include:

  • Blocking access to the web interface (80/tcp and 443/tcp) of any vulnerable ZyXEL device
  • Restricting access to vulnerable devices (i.e., not exposing them on the internet).

“Note however, that it is still possible for attackers to exploit devices that are not directly connected to the internet. For example, by way of viewing a web page,” CERT/CC added.

LILIN devices affected

LILIN digital video recorders (DVRs) and IP cameras have been under attack for months, by botmasters of the Chalubo, FBot and Moobot botnets, say researchers from Qihoo 360’s Netlab team.

They are exploiting a number of security flaws, including hard-coded login credentials, command injection (via NTP and FTP) and arbitrary file reading vulnerabilities.

According to the researchers, firmware running on a dozen LILIN devices is affected:


The manufacturer has released firmware that fixes the flaws (2.0b60_20200207) back in February.

Users of all the affected devices, both Zyxel’s and LILIN’s, are advised to update their device firmware or implement available workarounds.