Unpatched QNAP Devices Are Being Hacked To Mine Cryptocurrency

Unpatched network-attached storage (NAS) devices are targeted in ongoing attacks where the attackers try to take them over and install cryptominer malware to mine for cryptocurrency.

The threat actors exploit two pre-auth remote command execution (RCE) vulnerabilities in the Helpdesk app patched by QNAP in October 2020.

Cryptomining malware discovered on NAS devices compromised during this campaign was

named UnityMiner by researchers at Qihoo 360’s Network Security Research Lab (360 Netlab).

“We noticed the attacker customized the program by hiding the mining process and the real CPU memory resource usage information, so when the QNAP users check the system usage via the WEB management interface, they cannot see the abnormal system behavior,” the report says.

360 Netlab informed QNAP of the ongoing cryptomining campaign on March 3rd, one day after noting the attacks.

All NAS devices with QNAP firmware released before August 2020 are currently vulnerable to these attacks.

Also Read: How To Comply With PDPA: A Checklist For Businesses

The researchers discovered 4,297,426 potentially vulnerable QNAP NAS devices online using the company’s 360 Quake cyberspace mapping system.

Even though QNAP hasn’t published an advisory to warn customers of the active attacks, the company urged customers last month to update the Surveillance Station and Helpdesk apps to patch recently discovered security vulnerabilities.

“To ensure the security of their QNAP NAS, users are urged to install their applicable update(s) at the earliest convenience,” QNAP said.

“Alongside these software updates and published security advisories, QNAP has also sent individual notification emails to known Surveillance Station users, to minimize the impact caused by the issue.”

In January, QNAP warned customers of another series of attacks that infect and exploit QNAP NAS devices to mine bitcoin without their knowledge.

That warning came after QNAP a November knowledgebase article explaining that NAS devices running dovecat and dedpma processes are compromised and are running a Bitcoin miner malware.

NAS devices under siege

QNAP’s NAS devices have been under attack for a while now, with customers being warned of QSnatch malware and Muhstik Ransomware infections in September and October 2019.

An eCh0raix Ransomware (aka QNAPCrypt) campaign also targeted QNAP NAS devices with outdated QTS firmware and weak passwords during August 2019.

More recently, in September 2020, QNAP informed customers of a wave of AgeLocker Ransomware attacks on publicly exposed NAS devices.

All QNAP NAS owners should go through the following checklist to secure their NAS and check for malware:

• Change all passwords for all accounts on the device
• Remove unknown user accounts from the device
• Make sure the device firmware is up-to-date and all of the applications are also updated
• Remove unknown or unused applications from the device
• Install QNAP MalwareRemover application via the App Center functionality
• Set an access control list for the device (Control panel -> Security -> Security level)

Also Read: In Case You Didn’t Know, ISO 27001 Requires Penetration Testing

Additional technical details for the UnityMiner cryptomining malware and a list of all firmware releases known to be vulnerable are available in 360 Netlab’s report.