Skip to main content

Hackers Exploit QNAP Vulnerabilities to Turn NAS Devices Into Crypto Miners

QNAP NAS
(Image credit: Shutterstock)

Qihoo 360's Network Security Research Lab said Friday that vulnerabilities in QNAP products have been exploited to turn NAS devices into cryptocurrency miners. Those devices were tampered with to hide their CPU usage, too, making it difficult for their owners to discover something was wrong if they checked their system's diagnostics.

It seems like the efforts were pretty straightforward: Attackers reportedly exploited vulnerabilities in QNAP products to gain root access to them, installed mining software that was configured to use only half of the available CPU cores, and then covered their tracks by making CPU usage rates and temperatures appear normal.

The cryptocurrency mined by a single NAS isn't worth the trouble of finding a vulnerability, exploiting it, and configuring it in this manner. The attackers probably had no intention of limiting their efforts to a single NAS, however. Schemes like this are all about achieving as much scale as possible as quickly as possible.

Put another way: It wouldn't matter if each affected NAS only net the hackers $0.01 every day so long as they were able to infect a decent number of devices. They would also offset the costs of crypto mining—namely the upfront costs of buying a device and the ongoing cost of powering it—to their victims. All gain, no pain.

Note that while CPU mining of cryptocurrencies generally takes a back seat to GPU and ASIC mining, certain algorithms (specifically CryptoNightR used in Monero) can provide decent returns. Even an old Core i5-7600K 4-core CPU can do about $0.15-$0.20 per day (not counting electrical costs), while an i9-9900K can do nearly $0.50 per day. Infecting tens of thousands of NAS devices obviously gets into large sums of cryptocurrency very quickly, and Monero also happens to be a 'privacy coin' — meaning it's not possible to track where coin transfers go.

The researchers didn't offer many specifics, however, because they "speculate that there are still hundreds of thousands of online QNAP NAS devices with the vulnerability." That's a fraction of the nearly 4.3 million online devices they said they found using one of their security tools, but it's still nothing to sneeze at.

That number might be lower if the researchers had followed the industry standard process of giving vendors 90 days to respond to vulnerability disclosures. Instead the researchers at 360 Netlab said they discovered the scheme on March 2 and disclosed it to QNAP on March 3. They published a blog post about it on March 5.

The researchers said they rushed to share their discovery with the public "due to the possible big impact" of the security flaws. We've reached out to QNAP to confirm the timeline established in 360 Netlab's blog post as well as its potential impact and will update this post if the company responds.

For now, the researchers at 360 Netlab said the vulnerabilities it discovered were present in all of the QNAP NAS firmware released before August 2020. Ensuring a device has the most recent firmware should limit its exposure, and the researchers provided a list of IPs and URLs to block for additional security, too.

  • NightHawkRMX
    @USAFRet I know you have a qnap and might find this information useful.
    Reply
  • scottsoapbox
    Nathaniel, They would be offloading the costs of crypto mining to their victims, not offsetting them.
    Reply
  • USAFRet
    NightHawkRMX said:
    @USAFRet I know you have a qnap and might find this information useful.
    Thanks.
    Easy to mitigate:

    Don't have the thing accessible to the outside. Or if you do, push only. No incoming.
    Disable the original admin acct. New accounts and strong passwords.
    Firmware. QNAP pushes out a new one every 4-6 weeks. If you're still on a firmware version of pre Aug 2020, you're a fool (just like regular Windows/Linux/Apple OS updates)
    Disable UPnP
    Reply
  • atomicWAR
    Me, "I have a bag of potatoes."

    Crypto Miner, "I can get 5 MH/s with those with the proper materials and tuning!"
    Reply
  • Integr8d
    This exact same thing happened to Synology like 7 or 8 years ago. You had to ssh in to look at the pids to see if you’d been affected. The activity was hidden from the GUI. Clever stuff. But undoubtedly far more effective back then.
    Reply