Bitcoin Mining Malware

Network-attached storage (NAS) appliance maker QNAP on Tuesday released a new advisory warning of a cryptocurrency mining malware targeting its devices, urging customers to take preventive steps with immediate effect.

"A bitcoin miner has been reported to target QNAP NAS. Once a NAS is infected, CPU usage becomes unusually high where a process named '[oom_reaper]' could occupy around 50% of the total CPU usage," the Taiwanese company said in an alert. "This process mimics a kernel process but its [process identifier] is usually greater than 1000."

Cybersecurity

QNAP said it's currently investigating the infections, but did not share more information on the initial access vector that's being used to compromise the NAS devices. Affected users can remove the malware by restarting the appliances.

In the interim, the company is recommending that users update their QTS (and QuTS Hero) operating systems to the latest version, enforce strong passwords for administrator and other user accounts, and refrain from exposing the NAS devices to the internet.

QNAP NAS devices have long been a lucrative target for a number of malicious campaigns in recent years.

In July 2020, cybersecurity agencies in the U.S. and U.K. issued a joint bulletin about a threat that infected the NAS devices with a data-stealing malware dubbed QSnatch (or Derek). In December 2020, the device maker warned of two high-severity cross-site scripting flaws (CVE-2020-2495 and CVE-2020-2496) that enabled remote adversaries to take over the devices.

Cybersecurity

Then in March 2021, Qihoo 360's Network Security Research Lab disclosed a cryptocurrency campaign that exploited two security flaws in the firmware — CVE-2020-2506 and CVE-2020-2507 — to gain root privileges and deploy a miner called UnityMiner on compromised devices. And as of April this year, QNAP NAS devices have also been the target of eCh0raix and Qlocker ransomware attacks.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.