Many people run their NAS (network attached storage) units ‘live’ on the internet in order to access files and data when out of the home or office.  Security researchers have however recently discovered that a number of popular QNAP NAS devices which were live on the internet have been infected with malware which has modified firmware and stolen credentials.

The method of infection isn’t as yet fully understood, however it would appear that only NAS units which are publicly available on the internet have been infected.  Once installed,  the malware prevents the NAS from auto updating itself and also the in-built AV scanning tools from running.  According to Bleeping Computer,  the malware will:

  • Operating system timed jobs and scripts are modified (cronjob, init scripts)
  • Firmware updates are prevented via overwriting update sources completely
  • QNAP MalwareRemover App is prevented from being run
  • All usernames and passwords related to the device are retrieved and sent to the C2 server
  • The malware has modular capacity to load new features from the C2 servers for further activities
  • Call-home activity to the C2 servers is set to run with set intervals

Remediation involved a factory reset of the NAS to ensure that the malware is removed,  however given that process if destructive to data, it’s critical that the NAS is first backed up.  Whilst a manual upgrade of firmware may be possible to an infected device, only a factory reset can guarantee removal of the malware.

Our Case Studies

Read more about how we help small and large organisations.

Ready to find your perfect solution?

Let's chat