Hackers Exploit QNAP Vulnerabilities to Turn NAS Devices Into Crypto Miners

Qihoo 360's Network Security Research Lab said Friday that vulnerabilities in QNAP products have been exploited to turn NAS devices into cryptocurrency miners. Those devices were tampered with to hide their CPU usage, too, making it difficult for their owners to discover something was wrong if they checked their system's diagnostics.

It seems like the efforts were pretty straightforward: Attackers reportedly exploited vulnerabilities in QNAP products to gain root access to them, installed mining software that was configured to use only half of the available CPU cores, and then covered their tracks by making CPU usage rates and temperatures appear normal.

The cryptocurrency mined by a single NAS isn't worth the trouble of finding a vulnerability, exploiting it, and configuring it in this manner. The attackers probably had no intention of limiting their efforts to a single NAS, however. Schemes like this are all about achieving as much scale as possible as quickly as possible.

The researchers said they rushed to share their discovery with the public "due to the possible big impact" of the security flaws. We've reached out to QNAP to confirm the timeline established in 360 Netlab's blog post as well as its potential impact and will update this post if the company responds.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • NightHawkRMX
    @USAFRet I know you have a qnap and might find this information useful.
    Reply
  • scottsoapbox
    Nathaniel, They would be offloading the costs of crypto mining to their victims, not offsetting them.
    Reply
  • USAFRet
    NightHawkRMX said:
    @USAFRet I know you have a qnap and might find this information useful.
    Thanks.
    Easy to mitigate:

    Don't have the thing accessible to the outside. Or if you do, push only. No incoming.
    Disable the original admin acct. New accounts and strong passwords.
    Firmware. QNAP pushes out a new one every 4-6 weeks. If you're still on a firmware version of pre Aug 2020, you're a fool (just like regular Windows/Linux/Apple OS updates)
    Disable UPnP
    Reply
  • atomicWAR
    Me, "I have a bag of potatoes."

    Crypto Miner, "I can get 5 MH/s with those with the proper materials and tuning!"
    Reply
  • Integr8d
    This exact same thing happened to Synology like 7 or 8 years ago. You had to ssh in to look at the pids to see if you’d been affected. The activity was hidden from the GUI. Clever stuff. But undoubtedly far more effective back then.
    Reply