QNAP’s unpatched network-attached-storage (NAS) devices are the most recent targets in ongoing attacks, which are aimed at taking them over for use in a cryptocurrency mining campaign, The malware exploits two unauthorized remote command execution vulnerabilities, known as CVE-2020-2506 and CVE-2020-2507
We named the mining program UnityMiner, we noticed the attacker customized the program by hiding the mining process and the real CPU memory resource usage information, so when the QNAP users check the system usage via the WEB management interface, they cannot see the abnormal system behavior.
The program was customized by keeping the crypto mining process and the real CPU memory resource usage details under the radar in order to hide the malicious activity from QNAP owners.
The NAS devices have been targeted for several months, with warnings of infections regarding QSnatch malware, Muhstik Ransomware infections, the eChOraix Ransomware campaign, and AgeLocker Ransomware attacks going back to August 2019.
The mining program consists of unity_install.sh and Quick.tar.gz. unity_install.sh is used to download & set up & start the mining program and hijack the manaRequest.cgi program in the original device; Quick.tar.gz contains the miner program, the miner configuration file, the miner startup script and the forged manaRequest.cgi. Unity is the XMRig miner program.
All NAS devices with QNAP firmware released before August 2020 are currently vulnerable to these attacks, therefore all QNAP NAS users are advised to check and update their firmware as soon as possible.
The cyber analysts reported no less than 4,297,426 QNAP NAS potentially vulnerable devices exposed online, of which 951,486 have unique IP addresses. It is worth mentioning that most of them are located in the USA, China, and Italy.
If you own a QNAP NAS device, you should take the necessary steps to secure it. Change your passwords for all accounts on it, update device firmware and applications, and remove unknown users and applications from it.