Hacking

UnityMiner targets unpatched QNAP NAS in cryptocurrency mining campaign

Experts warn of ongoing attacks targeting QNAP network-attached storage (NAS) devices to abuse them in cryptocurrency mining.

Researchers at 360Netlab are warning of a cryptocurrency malware campaign targeting unpatched QNAP network-attached storage (NAS) devices.

Threat actors are exploiting two unauthorized remote command execution vulnerabilities, tracked as CVE-2020-2506 & CVE-2020-2507, in the Helpdesk app that have been fixed by the vendor in October 2020.

The flaws affect QNAP NAS firmware versions prior to August 2020.

The malware involved in the campaign was dubbed UnityMiner by 360 Netlab experts.

“On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507, upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities.” reads the analysis published by 360 Netlab.

Threat actors customized the program by hiding the mining process and the real CPU memory resource usage information to hide the malicious activity to QNAP owners that could check their system usage via the WEB management interface.

The mining program is composed of unity_install.sh and Quick.tar.gz. unity_install.sh downloads, set up and execute cryptocurrency miner and hijack the manaRequest.cgi program of the NAS. Quick.tar.gz contains the miner program, the miner configuration file, the miner startup script and the forged manaRequest.cgi. Unity is an XMRig cryptocurrency miner.

360 Netlab shared its findings with the vendor on March 3rd, and due to the possible big impact, the researchers publicly disclosed the attacks.

All NAS devices with QNAP firmware released before August 2020 are currently vulnerable to these attacks. 

The experts reported 4,297,426 QNAP NAS potentially vulnerable devices exposed online, 951,486 having unique IP addresses, most of them are located in the United States, China, and Italy.

qnap NAS distribution_enqnap NAS distribution_en

QNAP NAS users should check and update their firmware as soon as possible.

In January, the Taiwanese vendor QNAP published a security advisory to warn customers of a new piece of malware named Dovecat that was targeting NAS devices. The malware was designed to abuse NAS resources and mine cryptocurrency.

In December, QNAP released security updates to fix eight vulnerabilities that could be exploited by attackers to over unpatched NAS devices.

The list of vulnerabilities addressed by QNAP is available here, it includes XSS and command injection issues. The flaws fixed by the vendor are rated as medium and high severity security.

In September, while the AgeLocker ransomware was continuing to target QNAP NAS systems, the Taiwanese vendor urged customers to update the firmware and apps.

In early August, the Taiwanese company urged its users to update the Malware Remover app to prevent NAS devices from being infected by the QSnatch malware.

In June the company also warned of eCh0raix ransomware attacks that targeted its NAS devices.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, qnap NAS)

[adrotate banner=”5″]

[adrotate banner=”13″]

.

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Nova Scotia Power discloses data breach after March security incident

Nova Scotia Power confirmed a data breach involving the theft of sensitive customer data after…

3 hours ago

Coinbase disclosed a data breach after an extortion attempt

Coinbase confirmed rogue contractors stole customer data and demanded a $20M ransom in a breach…

6 hours ago

U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities…

15 hours ago

Kosovo authorities extradited admin of the cybercrime marketplace BlackDB.cc

Kosovar citizen extradited to the US for running the cybercrime marketplace BlackDB.cc appeared in federal…

16 hours ago

U.S. CISA adds Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…

1 day ago

Ivanti fixed two EPMM flaws exploited in limited attacks

Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…

1 day ago