Taiwanese vendor QNAP warns customers of threat actors targeting their NAS devices with cryptocurrency miners. Upon compromising the devices, the miner will create a new process named [oom_reaper] that allows threat actors to mine Bitcoin
The above process could occupy around 50% of the total CPU usage while mimicking a kernel process, but the vendor notices that the associated PID is usually greater than 1000.
“A bitcoin miner has been reported to target QNAP NAS. Once a NAS is infected, CPU usage becomes unusually high where a process named “[oom_reaper]” could occupy around 50% of the total CPU usage. This process mimics a kernel process but its PID is usually greater than 1000.” reads the advisory published by the vendor. “We strongly recommend users to act immediately to protect their device.”
Customers can contact the company through the QNAP Helpdesk for any questions regarding this campaign.
The Bitcoin miner employed in the campaign seems to lack of persistence mechanism, this means that restarting the device may remove the malware.
QNAP recommends customers the following actions to protect their devices:
Unfortunately, QNAP NAS devices were targeted by multiple malware campaigns in the last few years. In August, a new variant of the eCh0raix ransomware targeted the devices of the Taiwanese companies QNAP and Synology.
In May, QNAP warned customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.
The Taiwanese vendor was informed of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.
Independent experts observed a surge in eCh0raix ransomware infection reports between April 19 and April 26.
In the same period, the vendor also warned its users of an ongoing AgeLocker ransomware outbreak.
In May, the Taiwanese vendor warned customers of updating the HBS 3 disaster recovery app running on their Network Attached Storage (NAS) devices to prevent Qlocker ransomware infections.
In 2019, Anomali researchers reported a wave of eCh0raix attacks against Synology NAS devices, threat actors conducted brute-force attacks against them.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, IoT)
[adrotate banner=”5″]
[adrotate banner=”13″]