Crypto-Miner Campaign Targets Unpatched QNAP NAS Devices

Owners of popular QNAP Systems network attached storage (NAS) devices are being warned that a malicious cryptocurrency campaign is actively exploiting two critical firmware bugs in systems that have not yet been patched.

QNAP fixed the flaws in October 2020; however, researchers at Qihoo 360’s Network Security Research Lab report a widening campaign targeting over 100 unpatched firmware versions used by 4.3 million of the company’s NAS devices.

The bugs affect prior versions of QNAP’s 3.0.3 Helpdesk firmware. The bug, tracked as CVE-2020-2506, is an improper-access-control vulnerability that allows attackers to obtain control of a QNAP device. The second flaw, identified as CVE-2020-2507, is a “command injection vulnerability [and] could allow remote attackers to run arbitrary commands,” according to an October QNAP security advisory.

What We Know About UnityMiner

Disproportionately impacted are the 1.1 million QNAP NAS users within the United States (554,481) and China (550,465) – representing nearly 80 percent of total global infections, according to a recent mapping of QNAP devices visible online.

Researchers at 360 Netlab are calling the crypto-mining malware infecting the devices UnityMiner. It is unclear what the history of UnityMiner is and who is behind it, as there doesn’t appear to be any previous reports on the malware.

“We named the mining program UnityMiner, we noticed the attacker customized the program by hiding the mining process and the real CPU memory resource usage information, so when the QNAP users check the system usage via the WEB management interface, they cannot see the abnormal system behavior,” wrote 360 Netlab’s in a recently published analysis.

Critical QNAP Bugs Explained

Researchers at 360 Netlab identified over 100 versions of the QNAP NAS firmware vulnerable attack, released prior to the company’s August 2020 update correcting the problem.

“QNAP NAS users should check and update their firmware promptly,” wrote researchers. In addition to updating firmware, they said QNAP owners should monitor or block rogue IPs and URLs detailed in a limited analysis of the attack. Researchers explained that no public proof-of-concepts or technical details of the vulnerability have been made public in an effort to help QNAP mitigate the issues and limit attacks.

Basics of the campaign include the UnityMiner installer executable – named unity_install.sh and Quick.tar.gz – used by adversaries to setup and start “the mining program and hijack the manaRequest.cgi program in the original device,” researchers wrote.

The Quick.tar.gz contains the miner program, the miner configuration file, the miner startup script and the forged manaRequest.cgi, researchers explained.

UnityMiner then exploits the QNAP Helpdesk processes, “rename the system file /home/httpd/cgi-bin/management/manaRequest.cgi to manaRequests.cgi (this file is responsible for viewing and modifying the system information of the device),” they said.

Interestingly, the unknown adversaries behind the attacks use their own proxy pool, in an effort to hide their Monero cryptocurrency wallet.

Indicators of compromise include NAS devices configured for proxy pools “aquamangts.tk:12933”, “a.aquamangts.tk:12933” and “b.aquamangts.tk:12933.” Also, according to researchers, the miner uses variations of the proxy and URLs with the root “aquamangts”.

Mitigation includes updating the QNAP Helpdesk firmware to the latest version.

NAS Devices: Often a Juicy Target

Network attached storage devices have long been a popular target for cybercriminals and QNAP has not bucked the trend. In December, the device maker warned of a high-severity flaw that also allowed remote adversaries to take over devices by exploiting one of two cross-site scripting bugs (CVE-2020-2495 and CVE-2020-2496).

Another incident impacting QNAP occurred in 2019 when hackers targeted the devices with malware dubbed QSnatch. Another incident was also reported the same year, when ransomware (called QNAPCrypt) targeting Linux-based NAS devices – including QNAP.

Other NAS vendors have been equally impacted. Zyxel NAS devices were targeted last year by adversaries behind the Mirai botnet who targeted a critical pre-authentication command injection vulnerability. Other NAS vendors impacted by bugs include LenovoEMC, Seagate and Netgear.

Check out our free ****upcoming live webinar events****_ – unique, dynamic discussions with cybersecurity experts and the Threatpost community:_
· March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more and register!)
· April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)