Crypto mining malware continue their attack on the Network-Attached Storage (NAS)
NAS are products of QNAP, a popular Taiwanese storage manufacturer. It is similar to an external storage device that can be expandable up to 16 Terabytes.
The researchers first discovered the malware at Qihoo 360's Network Security Research Lab (360 Netlab).
The attack happens in two segments. The attacker gains control of the QNAP device and runs arbitrary commands.
360 Netlab reports on March 2, 2021, about attacks through the QNAP NAS devices via unauthorized remote command execution vulnerability, where the attackers gain privileges on the device, similar to admin rights, and perform malicious mining activities.
360 Netlab named this attacker as the UnityMiner, derived from the fact that the attacker uses a customized program to use NAS' memory resource for covert crypto mining.
QNAP has already warned its customers of these attacks since last January about the system's mining for bitcoin without their knowledge.
The attack happens by exploiting the vulnerability of a pre-existing patched remote code execution (RCE) and enables attackers to break into a user's device and use it for crypto mining.
UnityMiner is an attack that could potentially infect all QNAP NAS devices running on the firmware.
You Are at Risk if You See These Codes
The code "unity_install.sh" is used to download, set-up, and start the mining program. This hijacks the "manaRequest.cgi" program from the original device. The program "unity_install.sh" also sets the mining parameters by the number of CPU cores, ensuring that the user can only use half of it.
"manaRequest.cgi" hijacks the system's original file to tamper with the execution results. This will make the CPU usage and temp all look under normal processing.
"quick.tar.gz." contains the miner program, configuration file, startup script, and re-forged version of "manaRequest.cgi."
"start.sh" is the file responsible for modifying the system information and altering the user views as 'working system.'
For your security, be sure to check if any of these programs are installed in your NAS and destroy it.
The Damages Of This Attack
360 FirmwareTotal says that all QNAP NAS firmware before August 2020 is at a vulnerability risk.
The atter uses a program that hides the real CPU memory resource, so when QNAP scans the system for errors, it does not detect the abnormal system.
360 Netlab refuses to disclose the technical details of the vulnerability to protect QNAP users and the thousands of online QNAP NAS devices connected with the system.
QNAP advises users to update their firmware to disable these attacks.
An article by Sergie Galtan in BleepingComputer gives a specific checklist to secure the NAS user's storage and check for malware.
Change all passwords for all accounts on the device
Remove unknown user accounts from the device
Make sure the device firmware is up-to-date, and all of the applications are also updated
Remove unknown or unused applications from the device
Install QNAP MalwareRemover application via the App Center functionality
Set an access control list for the device (Control panel -> Security -> Security level)
Although these system attacks run deep, QNAP ensures to take measures to protect their user's privacy.
This article is owned by Tech Times
Written by Czarina Grace Del Valle