UnityMiner cryptocurrency malware hijacks QNAP storage devices

Updated: A remote code execution bug is to blame this time.

A cryptocurrency miner is being deployed on QNAP NAS devices through a remote code execution flaw.

QNAP, a Taiwanese vendor, manufactures hardware including network-attached storage (NAS) devices, products used to provide additional, centralized storage in home and business use cases. 

On March 2, 360Netlab researchers received reports that QNAP NAS devices were subject to a new wave of attacks. 

Internet of Things (IoT) and associated devices are commonly hijacked through brute-force attacks and via credential theft. However, in this case, two vulnerabilities leading to remote code execution (RCE) are thought to be to blame. 

The vulnerabilities are tracked as CVE-2020-2506 and CVE-2020-2507. According to QNAP, the Helpdesk app security issues combine improper access control and a command injection vulnerability which can be used to trigger RCE and hijack NAS devices. 

The critical vulnerabilities were disclosed in a security advisory dated October 7, 2020. Devices that contain firmware prior to August are vulnerable. 

360Netlab researchers estimate that "hundreds of thousands of online QNAP NAS devices" have not been patched. An online mapping scan, as of last week, detected 4,297,426 QNAP NAS devices -- with 951,486 unique IPs -- that may remain vulnerable. 

The team says that these products are susceptible to full hijacking through attackers gaining root privileges -- and this allows them to deploy cryptocurrency mining malware. 

The miner is called UnityMiner. This malware, which utilizes a version of open source XMRig -- used to mine Monero (XMR) -- is able to disguise the mining process and tamper with reported CPU memory resource usage data in an attempt to hide its presence on a compromised machine. 

"When QNAP users check the system usage via the web management interface, they cannot see the abnormal system behavior," the researchers note. 

Once deployed on a target machine, the malware consists of unity_install.sh and Quick.tar.gz, which together contain download instructions, the payload, and configuration data. 

The CPU architecture will be checked so the correct miner version can be installed, and as of now, UnityMiner is compatible with ARM64 and AMD64. Only half of the available cores are used for mining, likely in another effort to stay under the radar and not overload the infected NAS device. 

Three pool proxies are used to disguise the address of the wallet where cryptocurrency, after mining, is stored. 

360Netlab contacted QNAP with its findings on March 3. 

In January, QNAP published a security advisory warning of the active exploit of Dovecat, malware that compromises NAS devices via weak credentials for the purpose of cryptocurrency mining. 

Update 8.54 am GMT: QNAP said the company "has been actively monitoring emerging IT security intelligence to deliver up-to-date information and software updates, ensuring dependable data security for QNAP users." The company pointed ZDNet toward a recent product security news piece urging users to update. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0