The UK National Cyber Security Centre and CISA in the USA have issued a joint alert detailing the risk posed by the Qsnatch/Derek malware which attacks QNAP NAS devices.
The National Cyber Security Centre states in the alert:
All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. The malware has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.
Qsnatch/Derek has been observed during 2019 attacking Network Attached Storage devices manufactured by QNAP. The NCSC alert reports that in mid-June 2020 there were still some 62,000 infected devices visible world wide, and around 3,900 in the UK.
The infection vector has not been identified but once installed the malware injects modules into the firmware of the device. Qsnatch/Derek performs several activities including logging passwords, exfiltrating files and opens an SSH backdown to the device. The malware also alters the device configuration preventing it from downloading updates from QNAP. Only a full factory reset is able to remove the malware from the device firmware.
System Administrators are advised to assume that all passwords on the device have been compromised and must be changed before the device is returned to use.