QNAP Storage Devices Hijacked

Customers of the Network Attached Storage vendor QNAP have reported strange activities that have been preventing system updates on their devices.

Investigation into the problem has identified that a malware infection has hijacked QNAP NAS devices, forcing a change to the hosts file on the machine.

The unix hosts file ‘/etc/hosts/’ is used to statically define host or domain name mappings to an IP address, and depending upon the devices configuration can be used to override DNS queries.

By hijacking the device and changing these hosts file entries the malicious actor can control where traffic is sent to.

The hackers in this case added a large number of entries (over 700 according to The Register) to the host file and redirected each host or domain to the IP address 0.0.0.0. These entries included the domains for QNAP software and anti-virus updates, and by pointing them to this incorrect IP address the traffic was effectively blackholed, causing all associated updates to fail.

A customer has confirmed that once the entries are removed all updates will succeed as expected, but the unfortunate news is, that once the devices is rebooted the host file is modified once again, highlighting the presence of persistent malware.

After some forum discussion QNAP have eventually published a security advisory on their website, which although it includes some recommendations and workarounds, it doesn’t explain the malware or vulnerability. It states:

“A recently reported malware is known to affect QNAP NAS devices. We are currently analyzing the malware and will provide the solution as soon as possible.”

A few days later and it appears that QNAP are still non-the-wiser when it comes to the cause of the compromise, and they can still not confirm which devices and models are impacted.

Customers affected by the bug have been recommended to run QNAPs Malware Remover tool, but for some this proved to be ineffective, as it appears to only be supported by certain models.

This malware infection, for now at least, remains a mystery.

Is this the first sign of something more sinister, who knows, but my thoughts immediately track back to last year’s router wiper malware dubbed VPNFilter, which infected more than 500,000 devices worldwide. VPNFilter had multiple stages to its behaviour and included numerous malicious payloads, aimed at wreaking havoc, so let’s hope not hey.

For now, any QNAP admins out there should ensure that their devices are placed in their own network segment, so you can control traffic to and from the device. If your device does not need Internet connectivity, then disable it.

Sign Up

To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailList

You can also follow us using the social media links provided.

Ironshare – Security Simplified