[SECURITY ADVISORY] Bitcoin Miner [oom_reaper] | Bulletin ID: QSA-21-56

[Toxic17]

Taipei, Taiwan, December 7, 2021 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

Bitcoin Miner [oom_reaper]

Release date: December 7, 2021
Security ID: QSA-21-56
Affected products: All QNAP NAS

Summary

A bitcoin miner has been reported to target QNAP NAS. Once a NAS is infected, CPU usage becomes unusually high where a process named "[oom_reaper]" could occupy around 50% of the total CPU usage. This process mimics a kernel process but its PID is usually greater than 1000.

We strongly recommend users to act immediately to protect their device.

If you have any questions regarding this issue, please contact us through the QNAP Helpdesk.

Recommendation

To protect your device from infection, we recommend the following actions:

1. Update QTS or QuTS hero to the latest version.
2. Install and update Malware Remover to the latest version.
3. Use stronger passwords for your administrator and other user accounts.
4. Update all installed applications to their latest versions.
5. Do not expose your NAS to the internet, or avoid using default system port numbers 443 and 8080.

If you suspect your NAS has been infected with the bitcoin miner, restarting the NAS may also remove the malware.
Updating QTS or QuTS hero

1. Log on to QTS or QuTS hero as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS or QuTS hero downloads and installs the latest available update.

Updating Malware Remover

1. Log on to QTS or QuTS hero as administrator.
2. Open the App Center and then click .
   A search box appears.
3. Enter "Malware Remover".
   Malware Remover appears in the search results.
4. Click Update.
   A confirmation message appears.
   Note: The Update button is not available if your Malware Remover is already up to date.
5. Click OK.
   The application is updated.

Changing an Administrator Password

1. Log on to QTS or QuTS hero as administrator.
2. Click the profile picture on the QTS or QuTS hero Task Bar.
   The Options window opens.
3. Click Change Password.
4. Specify the old password.
5. Specify the new password.
   QNAP recommends the following criteria to improve password strength:
   • At least 8 characters in length
   • Include both uppercase and lowercase characters
   • Include at least one number and one special character
   • Must not be the same as the username or the username reversed
   • Must not include characters that are consecutively repeated three or more times
6. Verify the new password.
7. Click Apply.

Changing User Passwords

1. Log on to QTS or QuTS hero as administrator.
2. Go to Control Panel > Privilege > Users.
3. Select a user.
4. Click Change Password.
   The Change Password window appears.
5. Specify the old password.
6. Specify the new password.
   QNAP recommends the following criteria to improve password strength:
   • At least 8 characters in length
   • Include both uppercase and lowercase characters
   • Include at least one number and one special character
   • Must not be the same as the username or the username reversed
   • Must not include characters that are consecutively repeated three or more times
7. Verify the new password.
8. Click Apply.
9. Repeat the above steps to change passwords for other users.

Updating All Installed Applications

1. Log on to QTS or QuTS hero as administrator.
2. Go to App Center.
3. Select My Apps.
4. Next to Install Updates, click All.
   A confirmation message appears.
5. Click OK.
   QTS or QuTS hero updates all your installed applications to their latest versions.

Changing the System Port Number

1. Log on to QTS or QuTS hero as administrator.
2. Go to Control Panel > System > General Settings > System Administration.
3. Specify a new system port number.
   Warning: Do not use 443 or 8080.
4. Click Apply.
   QTS or QuTS hero applies the new system port number.

 
Revision History: V1.0 (December 7, 2021) - Published
 
If you have any questions regarding this issue, please contact us at https://www.qnap.com/go/support-ticket/.

[TJMurphy66]

This one is really concerning and annoying!
I got the advisory email this morning, I went through the checklist and was already doing everything right. I thought I'd be fine but on checking this morning I have the oom_reaper process in the resource list.
All apps are kept up to date, I have Security Counsellor and Malware removal scheduled to run daily, I have McAfee antivirus running, the NAS is not exposed to the internet and the passwords are strong and the ports were all changed when advised back in April.
So where is this thing getting through then?

[Updated to say I've now updated the Firmware and I still have the oom_reaper process but it's showing as sleeping and using no memory. Not sure what that means to be honest.]

[Toxic17]

This one is really concerning and annoying!
I got the advisory email this morning, I went through the checklist and was already doing everything right. I thought I'd be fine but on checking this morning I have the oom_reaper process in the resource list.
All apps are kept up to date, I have Security Counsellor and Malware removal scheduled to run daily, I have McAfee antivirus running, the NAS is not exposed to the internet and the passwords are strong and the ports were all changed when advised back in April.
So where is this thing getting through then?

[Updated to say I've now updated the Firmware and I still have the oom_reaper process but it's showing as sleeping and using no memory. Not sure what that means to be honest.]

raise a ticket with QNAP to investigate this further.

[AlastairStevenson]

I think there is more to this than meets the eye.
It will be interesting to see what further info comes out.
Somehow I think QNAP must be implicated.

My TVS-473 is not exposed to the internet, there is no UPnP enabled on any device on the LAN, not even the router or the IP cameras.
There are no ports open and no external access configured - as periodically confirmed by ShieldsUp!
Malware Remover runs nightly and there have been no alerts.
And there are only a small number of Apps installed, and nothing that would normally be a security risk.
I'm very conscious of security risks, it's a topic I'm knowledgable and active in.

And yet -

[~] # ps -e | grep reap
632 admin SW [oom_reaper]
8160 admin 904 R grep reap
[~] # lsof | grep reap
lsof: no pwd entry for UID 306
lsof: no pwd entry for UID 306
lsof: no pwd entry for UID 306

<snip>

lsof: no pwd entry for UID 109
lsof: no pwd entry for UID 109
oom_reape 632 admin cwd DIR 0,19 580 1 /
oom_reape 632 admin rtd DIR 0,19 580 1 /
oom_reape 632 admin txt unknown /proc/632/exe
lsof: no pwd entry for UID 306
lsof: no pwd entry for UID 109
lsof: no pwd entry for UID 109
lsof: no pwd entry for UID 109
[~] # ll /proc/632/oo*
-rw-r--r-- 1 admin administrators 0 2021-12-07 10:09 /proc/632/oom_adj
-r--r--r-- 1 admin administrators 0 2021-12-07 10:09 /proc/632/oom_score
-rw-r--r-- 1 admin administrators 0 2021-12-07 10:09 /proc/632/oom_score_adj
[~] #
[~] #
[~] # cat /proc/632/oom_adj
0
[~] # cat /proc/632/oom_score
0
[~] # cat /proc/632/oom_score_adj
0
[~] #

Very strange!
And actually quite worrying.

[antik]

Yes, "oom_reaper" is linux memory management function. Miner is "[oom_reaper]"

[AlastairStevenson]

Oom_reaper seems to be a linux process, called Out Of Memory killer.
Be worried when the process has a PID of >1000

I think you are right, @antik

On looking further, in my TS-473 it's the normal Linux kernel process thread that helps to handle out-of-memory situations.
So in my specific case - nothing to be concerned about - it's a system PID, and no significant CPU utilised.
That's not to say that someone hasn't crafted some doppelganger malware.

There is some info here :
https://lwn.net/Articles/666024/

[TJMurphy66]

Yes, "oom_reaper" is linux memory management function. Miner is "[oom_reaper]"

Thanks, that makes sense. The one on my system has no square brackets. Phew!

[psvampa]

This one is really concerning and annoying!
I got the advisory email this morning, I went through the checklist and was already doing everything right. I thought I'd be fine but on checking this morning I have the oom_reaper process in the resource list.
All apps are kept up to date, I have Security Counsellor and Malware removal scheduled to run daily, I have McAfee antivirus running, the NAS is not exposed to the internet and the passwords are strong and the ports were all changed when advised back in April.
So where is this thing getting through then?

[Updated to say I've now updated the Firmware and I still have the oom_reaper process but it's showing as sleeping and using no memory. Not sure what that means to be honest.]

I do not trust on any of those recommendations. I am quite sure I was hit with this one 2 weeks ago. I have no evidence to post right now however my oom_reaper was constantly using ~95% of the CPU power on my TS-251D. I have all the recommendations in place. I also have 2AF set for all the accounts.
After doing some investigation on my end and finding nothing I just restarted the appliance. After that It didn't happen again and I didn't notice any data corruption/lose. Since it didn't happen again and I didn't find any good reason I thought It could be just a one time problem or something stuck.
I didn't open a ticket to QNAP because I have two open tickets without solution since a long time ago (longer than 2 months). They never solved none of the 4 tickets I opened and my experience with them was awful.

Cheers,

Screen Shot 2021-11-16 at 14.12.01.png

[Toxic17]

Yes, "oom_reaper" is linux memory management function. Miner is "[oom_reaper]"

read again:

"This process mimics a kernel process but its PID is usually greater than 1000."

so you may have a genuine [oom_reaper] but its process ID is higher than 1000

[P3R]

viewtopic.php?f=45&t=164173