QNAP Network Devices Targeted by New Dovecat Malware

QNAP, a Taiwan-based hardware vendor, has published a security advisory warning about a new malware threat. The malware named Dovecat is actively targeting Network-Attached Storage (NAS) devices. It uses local resources of the infected systems to mine cryptocurrency without users' knowledge.

What has happened?

The security advisory was released after the company started receiving reports from its users, last year, concerning two unknown processes (dovecat and dedpma). Both processes were consuming the device's memory and running non-stop to mine cryptocurrency, later identified as Dovecat.
  • The malware can infect Linux systems. However, it has been specifically created to target the internal structure of QNAP NAS devices. It propagates via targeting weak passwords.
  • The malware uses the dovecat process name for a certain reason. It tries to pass the security as Dovecot, a valid email daemon that comes along with the QNAP firmware and several Linux distros.
  • In addition, the same malware was reported to be targeting users of Synology NAS devices, where it managed to run without any problems.
  • The malware campaign was ongoing for at least three months and many NAS devices were infected and left unusable due to the Bitcoin miner using almost all CPU and memory resources.

Recent incidents 

  • Recently, a malware named VPNFilter had infected hundreds of networks, including QNAP, TP-Link, and Ubiquiti.
  • Last month, QNAP security team released updates to fix various critical vulnerabilities in NAS devices.

Conclusion

For the last two months, QNAP devices are under constant attack from ransomware that exploit unpatched vulnerabilities. Thus, experts suggest updating QTS to the latest version, using a firewall and strong admin passwords, disabling SSH/Telnet services if not in use, and avoid using default port numbers.

Cyware Publisher

Publisher

Cyware