A new variety of crypto-mining malware is targeting QNAP’s network-attached storage (NAS) devices, according to a new security alert posted today by the Taiwanese hardware firm QNAP. The firm did not reveal how the devices were infected, but it did say that after the virus had gained a footing on affected computers, it would start a process called [oom reaper] that would consume about half of the CPU’s full use.
While the infections are being examined, QNAP advised consumers to protect themselves by upgrading their devices’ operating systems (QTS or QuTS) and any QNAP add-on software. In addition, the firm advised customers to update all of their NAS account passwords because it was unclear whether the attackers exploited a flaw or just brute-forced a weak password on an internet-connected QNAP machine.
QNAP advised consumers to reset their computers and download and install its “Malware Remover” utility from the device’s built-in App Center to eradicate the infection. The company’s guidance provides step-by-step instructions on how to complete all three procedures above. However, in retrospect, the Taiwanese corporation is being exploited by malware gangs to attack its gadgets.
In recent years, ransomware variants such as Muhstik, Qlocker, eCh0raix, and AgeLocker have all targeted QNAP devices, with hackers obtaining access to client NAS systems, encrypting customers’ data, and then demanding tiny ransom payments. Crypto-mining malware has been uncommon, but it has occurred in the past. QNAP NAS devices were targeted by the Dovecat crypto-mining malware in late 2020 and early 2021, which used weak passwords to gain access to QNAP systems.
In 2019 and 2020, the QSnatch malware targeted the company’s NAS equipment, infecting roughly 62,000 systems by mid-June 2020, according to CISA and the UK NCSC. QSnatch didn’t have crypto-mining capabilities, but it did have an SSH password stealer and exfiltration capabilities, which were the primary reasons national cybersecurity agencies in the United States, the United Kingdom, Finland, and Germany became involved and issued national alerts about the botnet’s operations.