QNAP warned customers today of ongoing attacks targeting their NAS (network-attached storage) devices with cryptomining malware, urging them to take measures to protect them immediately
The cryptominer deployed in this campaign on compromised devices will create a new process named [oom_reaper] that will mine for Bitcoin cryptocurrency.
While running, the malware can take up to 50% of all CPU resources and will mimic a kernel process with a PID higher than 1000.
“We strongly recommend users to act immediately to protect their device,” QNAP said in a security advisory published today. “If you have any questions regarding this issue, please contact us through the QNAP Helpdesk.”
Customers who suspect their NAS is infected with this bitcoin miner are advised to restart their device, which may remove the malware.
QNAP also recommends customers take the following measures to protect their devices from these attacks:
- Update QTS or QuTS hero to the latest version.
- Install and update Malware Remover to the latest version.
- Use stronger passwords for your administrator and other user accounts.
- Update all installed applications to their latest versions.
- Do not expose your NAS to the internet, or avoid using default system port numbers 443 and 8080.
You can find detailed information on the steps required for each of the actions above in today’s security advisory.
QNAP NAS devices under siege
NAS devices are an attractive target for attackers, and this is not the first time QNAP systems were targeted by cryptomining malware this year.
In March, researchers at Qihoo 360’s Network Security Research Lab (360 Netlab) revealed that a cryptominer dubbed UnityMiner was hijacking QNAP NAS devices unpatched against two pre-auth remote command execution (RCE) vulnerabilities in the Helpdesk app.
In January, QNAP users were also urged to defend their devices from a malware campaign that made them unusable after spawning dovecat and dedpma processes that would hog up almost all system resources.
QNAP also notified customers of eCh0raix ransomware (also known as QNAPCrypt) attacks in May (as well as in June 2019 and June 2020). This alert came just two weeks after another warning of an AgeLocker ransomware outbreak.
A massive Qlocker ransomware campaign also started hitting vulnerable QNAP devices beginning mid-April. The attackers made $260,000 in just five days by locking the victims’ data using the 7zip open-source file archiver.
QNAP customers who want to secure their NAS devices from attacks further are advised to follow these best practices.