U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Bitcoin Miner [oom_reaper] targets QNAP NAS devices

Taiwanese vendor QNAP warns customers of ongoing attacks targeting their NAS devices with cryptocurrency miners. Taiwanese vendor QNAP warns customers of threat actors targeting their NAS devices with cryptocurrency miners. Upon compromising the devices, the miner will create a new process named [oom_reaper] that allows threat actors to mine Bitcoin The above process could occupy […]

QNAP TS-464 NAS

Taiwanese vendor QNAP warns customers of ongoing attacks targeting their NAS devices with cryptocurrency miners.

Taiwanese vendor QNAP warns customers of threat actors targeting their NAS devices with cryptocurrency miners. Upon compromising the devices, the miner will create a new process named [oom_reaper] that allows threat actors to mine Bitcoin

The above process could occupy around 50% of the total CPU usage while mimicking a kernel process, but the vendor notices that the associated PID is usually greater than 1000.

“A bitcoin miner has been reported to target QNAP NAS. Once a NAS is infected, CPU usage becomes unusually high where a process named “[oom_reaper]” could occupy around 50% of the total CPU usage. This process mimics a kernel process but its PID is usually greater than 1000.” reads the advisory published by the vendor. “We strongly recommend users to act immediately to protect their device.”

Customers can contact the company through the QNAP Helpdesk for any questions regarding this campaign.

The Bitcoin miner employed in the campaign seems to lack of persistence mechanism, this means that restarting the device may remove the malware.

QNAP recommends customers the following actions to protect their devices:

  1. Update QTS or QuTS hero to the latest version.
  2. Install and update Malware Remover to the latest version.
  3. Use stronger passwords for your administrator and other user accounts.
  4. Update all installed applications to their latest versions.
  5. Do not expose your NAS to the internet, or avoid using default system port numbers 443 and 8080.

Unfortunately, QNAP NAS devices were targeted by multiple malware campaigns in the last few years. In August, a new variant of the eCh0raix ransomware targeted the devices of the Taiwanese companies QNAP and Synology.

In May, QNAP warned customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

The Taiwanese vendor was informed of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.

Independent experts observed a surge in eCh0raix ransomware infection reports between April 19 and April 26.

In the same period, the vendor also warned its users of an ongoing AgeLocker ransomware outbreak.

In May, the Taiwanese vendor warned customers of updating the HBS 3 disaster recovery app running on their Network Attached Storage (NAS) devices to prevent Qlocker ransomware infections.

In 2019, Anomali researchers reported a wave of eCh0raix attacks against Synology NAS devices, threat actors conducted brute-force attacks against them.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]