CYBERSECURITY NEWS V. 06.08 – 62,000 QNAP NAS devices infected, new Linux backdoor
hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates with comments from our experts
News for discussion
62,000 QNAP NAS devices infected
QSnatch is a malware that infects network attached storage devices (NAS). The first QSnatch attacks were recorded in 2014. Recently, the number of infections has grown from 7,000 devices in October 2019 to over 62,000 in mid-June 2020. Although the CISA and NCSC experts were able to analyze the current version of QSnatch, they still can’t figure out how it infects devices.
The story is as old as the hills: attackers scan the Internet looking for vulnerable devices, and some high-schoolers succeed at building yet another botnet. QNAP had their first botnet problem back in 2014, and in 2020 it hasn't got any better:
- Do attackers exploit more complex vulnerabilities to hack the devices?
Seems like they don't; they just look for devices with default passwords.
- Does QNAP pay more attention to information security?
Seems like they don't, since we don't see any improvements.
- Can we expect that such attacks cease to exist?
Absolutely not. 6 years from now, we will read in the news that QSnatch has infected more devices.
New Linux backdoor
Doki is a Linux backdoor designed to take full control of new Alpine Linux servers. It exploits the Dogecoin blockchain to connect to its C&C server. The behavior of the malware is well-hidden: it went unnoticed for over half a year, although the first Doki samples appeared on VirusTotal back in January.
BootHole attack impacts Windows and Linux systems
The BootHole vulnerability allows attackers to interfere with the boot process before launching the operating system (OS) and has a severity of 8.2. It is found in GRUB2, which is currently used as the main bootloader for all major Linux. Мulnerable systems include servers and workstations, laptops and desktops, and possibly a large number of Linux-based OT and IoT systems.
File read vulnerability in Cisco firewalls
CVE-2020-3452 is a file read vulnerability affecting Cisco ASA and Cisco FTD. It allows remote attackers to read sensitive files on the target system without authentication. The flaw occurred due to the lack of input validation in HTTP requests processed by vulnerable devices. Although the patches for it were released last year, there are still unpatched systems that are being attacked. Devices are vulnerable only if they are running the vulnerable software version and are configured using WebVPN or AnyConnect functionality.