QNAP warns of new crypto-miner targeting its NAS devices
Taiwanese hardware vendor QNAP has released a new security advisory today warning users that a new strain of crypto-mining malware is targeting its network-attached storage (NAS) devices.
The company did not share any information on how the devices were being compromised but said that once the malware got a foothold on infected systems, it would create a process named [oom_reaper] that would take up around 50% of the CPU’s total usage.
“This process mimics a kernel process but its PID is usually greater than 1000,” QNAP said today.
While the infections are being investigated, QNAP told customers to take proactive measures against the attacks, such as updating their devices’ operating systems (known as QTS or QuTS) and all QNAP add-on apps.
In addition, the company also told users to change all their NAS account passwords, as it was unsure if the attackers exploited a vulnerability or just brute-forced an internet-connected QNAP system that used a weak password.
To remove the infection from affected devices, QNAP told customers to reboot systems and download and install the company’s “Malware Remover” tool from the device’s built-in App Center. Instructions on how to perform all the three steps above are detailed step-by-step in the company’s advisory.
Past malware ops targeting QNAP systems
But in hindsight, the Taiwanese company is used by this point to malware gangs targeting its devices.
Over the past few years, ransomware strains like Muhstik, Qlocker, eCh0raix, and AgeLocker have all targeted QNAP devices, with hackers gaining access to customer NAS systems, encrypting users’ data, and then asking for small ransom payments.
Crypto-mining malware has been rarer, but it has also happened before.
In late 2020 and early 2021, QNAP NAS devices were targeted by the Dovecat crypto-mining malware, which abused weak passwords to gain a foothold on QNAP systems.
The company’s NAS devices were also targeted in 2019 and 2020 by the QSnatch malware, which CISA and the UK NCSC said infected around 62,000 systems by mid-June 2020. QSnatch didn’t include crypto-mining features but included an SSH password stealer and exfiltration capabilities, which were the main reasons national cybersecurity agencies in the US, the UK, Finland, and Germany got involved and sent national alerts about the botnet’s operations.