If you have a QNAP network-attached storage drive, you need to go and patch it now. Earlier in March 2020, security researchers at Qihoo's 360 Netlab identified a vulnerability in QNAP NAS devices under active exploitation.
Patch Your QNAP NAS
Attackers are attempting to take control of QNAP NAS hardware to install cryptocurrency mining malware, which mines cryptocurrency on behalf of the attacker.
The research team at 360 Netlab believes there are over 4 million vulnerable QNAP NAS devices online with over 950,000 unique IP addresses, all mapped using Qihoo's Quake mapping system.
The vulnerability relates to two remote command execution vulnerabilities, CVE-2020-2506 and CVE-2020-2507, which, when exploited, allows the attacker to gain root privilege on the compromised NAS. Once an attacker has root access, they can do almost what they want on the machine.
Although the vulnerabilities are serious, the research team has not made its exploit proof-of-concept public nor released any technical details relating to the vulnerabilities, giving affected QNAP users time to patch their hardware.
We named the mining program UnityMiner, we noticed the attacker customized the program by hiding the mining process and the real CPU memory resource usage information, so when the QNAP users check the system usage via the WEB management interface, they cannot see the abnormal system behavior.
Any QNAP NAS device with firmware installed before August 2020 is currently vulnerable to the exploit, covering around 100 different versions of QNAP's NAS firmware. The Qihoo 360 Netlab blog post details the crypto-mining malware in more detail, including every firmware version currently affected.
QNAP NAS users should head to the QNAP patch page, download the latest patches, and install them as soon as possible. While QNAP hasn't yet made a direct response to Qihoo's revelations regarding the vulnerability, this is the most recent patch available for the hardware.
QNAP NAS Boxes Previously Targeted
This isn't the first time QNAP's NAS hardware has been targeted.
In December 2020, QNAP issued a warning regarding two high-severity cross-site scripting bugs that allowed an attacker remote access. Before that, in September 2020, QNAP users were hit by the AgeLocker ransomware, which infected thousands of publicly exposed QNAP NAS devices.
Yet another ransomware variant also specifically targeted QNAP NAS devices, too, the big giveaway being the name: QNAPCrypt. That said, the QNAPCrypt ransomware also targeted other NAS providers, such as Synology, Seagate, and Netgear.
For the time being, QNAP users should head to the previously linked patch page and follow the instructions to protect online devices.