QNAP warns users to secure NAS devices against Dovecat malware

QNAP urges customers to secure their network-attached storage (NAS) devices against an ongoing malware campaign that infects and exploits them to mine bitcoin without their knowledge.

“According to analysis, QNAP NAS can become infected when they are connected to the Internet with weak user passwords,” QNAP says.

User reports of this malware campaign have been surfacing for at least three months [1, 2, 3], with customers saying that affected NAS devices are almost unusable due to the Bitcoin miner hogging up almost all CPU and memory resources.

QNAP also published a knowledgebase article in November explaining that NAS devices with dovecat and dedpma running processes are compromised and running a Bitcoin miner malware.

While Taiwanese NAS maker Synology has not yet issued an advisory related to this cryptojacking campaign, customer reports [1, 2] say that Synology devices have also been infected with this malware.

How to protect your NAS from attacks

The company urges users to take the following measures to defend against infections:

  • Update QTS to the latest version.
  • Install the latest version of Malware Remover.
  • Install Security Counselor and run with Intermediate Security Policy (or above).
  • Install a firewall.
  • Enable Network Access Protection to protect accounts from brute force attacks.
  • Use stronger admin passwords.
  • Use stronger passwords for database administrators.
  • Disable SSH and Telnet services if not in use.
  • Disable unused services and apps.
  • Avoid using default port numbers (80, 443, 8080, and 8081).

Customers are also advised to follow best practices for enhancing their NAS device’s security as detailed QNAP’s support website.

To block future attacks or malware infections affecting their devices, users should also remove all unknown or suspicious accounts and applications from their NAS systems.

They should also toggle off auto-router configuration and configure device access controls using myQNAPcloud.

Changing passwords for all accounts, as well as updating QTS and all QTS apps to the latest versions should also help prevent attacks.

Malware removal tool in development

“These actions can further enhance NAS security and make it harder for dovecat to enter your QNAP NAS,” the advisory adds.

The QNAP PSIRT has made it a priority to develop a solution that will remove dovecat from infected devices.”

QNAP’s NAS devices have been under siege before, with the company warning of QSnatch malware and Muhstik Ransomware infections in September and October 2019.

An eCh0raix Ransomware (also known as QNAPCrypt) campaign targeted QNAP NAS devices with outdated QTS firmware and weak passwords in August 2019.

More recently, in September 2020, QNAP also alerted customers of a recent wave of ransomware attacks AgeLocker Ransomware attacks targeting publicly exposed NAS devices.

AgeLocker targets older unpatched versions of Photo Station, encrypts the device’s data, and in some cases, steal files from the victim as BleepingComputer found.