QNAP warns customers of threat actors targeting their NAS devices with cryptocurrency miners. Upon compromising the devices, the miner will create a new process named [oom_reaper] that allows threat actors to mine Bitcoin
The above process could occupy around 50% of the total CPU usage while mimicking a kernel process, but the vendor notices that the associated PID is usually greater than 1000. Customers can contact the company through the QNAP Helpdesk for any questions regarding this campaign.
The Bitcoin miner employed in the campaign seems to lack of persistence mechanism, this means that restarting the device may remove the malware.
QNAP recommends customers the following actions to protect their devices:
- Update QTS or QuTS hero to the latest version.
- Install and update Malware Remover to the latest version.
- Use stronger passwords for your administrator and other user accounts.
- Update all installed applications to their latest versions.
- Do not expose your NAS to the internet or avoid using default system port numbers 443 and 8080.