QNAP, one of the leading manufacturers of NAS devices, has yet again surfed under the radar of a crypto-malware intrusion. However, this time around, it has raised grave concern for their users despite getting victimized from 'Dovecat,' a Crypto-mining malware strain, discovered in the recent past. The malware strain primarily targets its line of Network-Attached Storage (NAS) devices by leveraging the system resources to mine Bitcoin without users' consent. QNAP did roll out an official notification to its clients for remaining vigilant against any possible system abnormal processes in their NAS devices while protecting them from getting infected.
Matthew Ruffell, the founder of Dapper Linux, identified this malware strain for the first time while conducting a threat analysis. And successfully confirmed the presence of odd processes running in the background to exploit system resources. Finding on an Ubuntu system, the Canonical software engineer meticulously analyzed the malware's nature last year. As per his final reports, the malware strain has the potential to infect any Linux-based system, but it is dedicated design to matching the QNAP NAS device's internal structure.
It processes using high amounts of CPU and memory resources and runs from the /tmp directory which doesn't seem to match any other services the system was running, besides there are files also in the /tmp directory owned by the service which is running the "dovecat" process in the background. All of that raises several red flags.
As there are no legit programs to place the same files in /tmp other than temporary storage. Therefore the malware only uses /tmp since any user can write there.
The problem became much more prolific in the last three months since many users started reporting this malware campaign. Even some of the QNAP clients complain that their devices become unusable and rendered after getting affected once. In fact, with cryptocurrency gaining traction lately has eventually risen the infection of crypto-mining malware by 53% in the fourth quarter of last year.
Synology, another NAS provider, has not yet reported any advisory. However, some clients made a complaint about similar issues. Although, it isn't something unprecedented for QNAP devices. The team of QNAP has projected this attack as a priority for creating the removal solution for malware.
Users with weak password securities on their QNAP NAS device are prone to get affected by this malware strain. The program is called 'Dovecat' because it tries to pass through the users' system as Dovecot, a validated email daemon for Linux systems.
Responding to the problem, QNAP has also provided detailed best practices to reduce the overall risk of getting infected. It comprises updating QTS to the latest version from installing a firewall to prevent default port numbers from following the best practices.
Users of QNAP noticed that something was not perfect with the NAS gadget when they spotted two operational procedures going on - Dovecat and dedpma, which are continually running in the background and consuming huge resources. The firm has published a support post back in November confirming that two procedure linked with Bitcoin running malware.
The firm asks users to take some steps for defending infections -
Given this malware infection, QNAP advised its clients to comply with the best practices to enhance their NAS device's security. For blocking future attacks or any malware infections affecting their devices, users must remove all suspicious or unknown accounts and apps from their NAS systems. Changing passwords for all accounts and updating QTS and its apps to the latest versions must help avoid attacks.