Threat Coverage

Jul 28, 2020

SafeBreach Hacker’s Playbook Updated for US-CERT Alert (AA20-209A) Potential Legacy Risk from Malware Targeting QNAP NAS Devices


SafeBreach Labs has updated the Hacker’s Playbook™ with new simulations for IOCs described in US-CERT Potential Legacy Risk from Malware Targeting QNAP NAS Devices
(AA20-209A), as well as new attack for Network Tunneling.

This alert addresses the increase in attacks with QSnatch malware, which has now affected over 62,000 QNAP network attached storage (NAS) devices around the world. This attack is particularly sophisticated in the way it persists by modifying the system host file redirecting core domain names to local out-of-date versions so updates cannot be installed. If a device has been affected by QSnatch, the hackers have full control and block updates to the device. A full factory reset is needed on the device as the attackers made it impossible for the administrators to run the needed firmware.

Since NAS devices run on Linux there is a possibility for the QSnatch malware to be modified to target any NAS vendor, not just QNAP. It is essential that you test your security controls to ensure you are protected against this attack.

It is important to note that the infection vector has not been identified yet. SafeBreach Labs team will continue to monitor updates and will add additional attacks to the SafeBreach Hacker’s Playbook if the infiltration techniques are identified in the near future.

Newly developed playbook methods related to AA20-209A:

  • #5338 – Write aa20209aQSnatch malware to disk (Host-Level)
  • #5339 – Transfer of aa20209aQSnatch malware over HTTP/S (Lateral Movement)
  • #5340 – Transfer of aa20209aQSnatch malware over HTTP/S (Infiltration)
  • #5341 – Email aa20209aQSnatch malware as a ZIP attachment (Lateral Movement)
  • #5342 – Email aa20209aQSnatch malware as a ZIP attachment (Infiltration)
  • #5343 – Write aa20209aQSnatch malware to disk (Host-Level)
  • #5344 – Transfer of aa20209aQSnatch malware over HTTP/S (Lateral Movement)
  • #5345 – Transfer of aa20209aQSnatch malware over HTTP/S (Infiltration)
  • #5346 – Email aa20209aQSnatch malware as a ZIP attachment (Lateral Movement)
  • #5347 – Email aa20209aQSnatch malware as a ZIP attachment (Infiltration)
  • #5348 – aa20209aQSnatch http get request between simulators

Existing playbook methods related to AA20-209A:

  • #1357 – “Create Cron scheduled task”
  • #1473 – “Write to HOSTS file (Linux)” (edited)

The new attack methods for US-CERT AA20-209A are already in the SafeBreach Hacker’s Playbook and ready to be run across your simulators. The Known Attack Series report is being updated so you can run just the specific attacks from this US-CERT alert. From the Known Attack Series report, select the US-CERT Alert AA20-209A (QSnatch) report and there is an option to Run Simulations that will run all the attack methods.

Updates for Testing T1090.003 Proxy: Multi-hop Proxy

SafeBreach Hacker’s Playbook #2262 BBSwift – malware transfer and first communication – using TOR has been updated to test real C2 communication addressed in US-CERT Alert (AA20-198A) Malicious Cyber Actor Use of Network Tunneling and Spoofing to Obfuscate Geolocation to ensure IP addressed defined cannot be spoofed since the activity could be tunneled through a network to intentionally mask the true source.

Get the latest
research and news