{ "id": "70946ea9-038a-4439-ad7b-4971b8805bca", "created_at": "2026-04-06T00:21:35.162017Z", "updated_at": "2026-04-10T03:24:17.972585Z", "deleted_at": null, "sha1_hash": "1abb9b0495af7f715143cacb2ce405463bb16b34", "title": "QNAP NAS users, make sure you check your system", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 347653, "plain_text": "QNAP NAS users, make sure you check your system\r\nBy Ma Yanlong\r\nPublished: 2021-03-05 · Archived: 2026-04-05 20:55:07 UTC\r\nBackground\r\nOn March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP\r\nNAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 \u0026 CVE-2020-2507)\r\n[1], upon successful attack, the attacker will gain root privilege on the device and perform malicious mining\r\nactivities.\r\nDue to the possible big impact, we contacted and informed the vendor on March 3, and decided to share some\r\ninformation with this quick blog.\r\nNote 1, there is currently no public available PoC for CVE-2020-2506 \u0026 CVE-2020-2507, also according to the\r\nvendor’s request, we are not disclosing the technical details of the vulnerability in order to protect QNAP NAS\r\nusers, we speculate that there are still hundreds of thousands of online QNAP NAS devices with the vulnerability.\r\nWe named the mining program UnityMiner, we noticed the attacker customized the program by hiding the mining\r\nprocess and the real CPU memory resource usage information, so when the QNAP users check the system usage\r\nvia the WEB management interface, they cannot see the abnormal system behavior.\r\nPreviously We have disclosed another QNAP NAS in-the-wild vulnerability attack here[2].\r\nVulnerability impact\r\nOur 360 FirmwareTotal system shows that the following models are affected by the vulnerabilities. The QNAP\r\nNAS installed Helpdesk app prior to August 2020 is affected. The following is the list of known models that could\r\nbe vulnerable.\r\nTVS-X73\r\nTVS-X71U\r\nTVS-X71\r\nTVS-X63\r\nTS-XA82\r\nTS-XA73\r\nTS-XA28A\r\nTS-X89U\r\nTS-X88\r\nTS-X85U\r\nTS-X85\r\nTS-X83XU\r\nTS-X82U\r\nhttps://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/\r\nPage 1 of 6\n\nTS-X82S\r\nTS-X82\r\nTS-X80U\r\nTS-X80\r\nTS-X77U\r\nTS-X77\r\nTS-X73U\r\nTS-X72U\r\nTS-X72\r\nTS-X63U\r\nTS-X53U\r\nTS-X53S\r\nTS-X53D\r\nTS-X53BU\r\nTS-X53B\r\nTS-X53A\r\nTS-X53\r\nTS-X51U\r\nTS-X51DU\r\nTS-X51B\r\nTS-X51A\r\nTS-X51\r\nTS-X35A\r\nTS-X28A\r\nTS-KVM\r\nTS-879U\r\nTS-879\r\nTS-870U\r\nTS-870\r\nTS-869U\r\nTS-869\r\nTS-859U\r\nTS-859\r\nTS-809U\r\nTS-809\r\nTS-670\r\nTS-669\r\nTS-659\r\nTS-639\r\nTS-569\r\nTS-559\r\nTS-509\r\nTS-470\r\nTS-469U\r\nTS-469\r\nTS-459U\r\nTS-459\r\nhttps://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/\r\nPage 2 of 6\n\nTS-439U\r\nTS-439PROII\r\nTS-439\r\nTS-421U\r\nTS-421\r\nTS-420U\r\nTS-420\r\nTS-419U\r\nTS-419P\r\nTS-412U\r\nTS-412\r\nTS-410\r\nTS-269\r\nTS-259\r\nTS-239PROII\r\nTS-239H\r\nTS-239\r\nTS-221\r\nTS-220\r\nTS-219\r\nTS-212\r\nTS-210\r\nTS-1679U\r\nTS-1279U\r\nTS-1270U\r\nTS-1269U\r\nTS-121\r\nTS-120\r\nTS-119\r\nTS-112\r\nTS-110\r\nTS-1079\r\nSS-839\r\nSS-439\r\nSS-2479U\r\nSS-1879U\r\nSS-1279U\r\nQGD-1600\r\nMustang-200\r\nIS-400\r\nHS-251\r\nHS-210\r\nAnd the following is the Geo breakdown of the devices online by using the 360 Quake cyberspace mapping\r\nsystem, all togetherthere are 4,297,426 QNAP NAS, with 951,486 unique IPs.\r\nhttps://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/\r\nPage 3 of 6\n\nBrief analysis of the mining kit\r\n1. Overview\r\nThe mining program consists of unity_install.sh and Quick.tar.gz . unity_install.sh is used to\r\ndownload \u0026 set up \u0026 start the mining program and hijack the manaRequest.cgi program in the original device;\r\nQuick.tar.gz contains the miner program, the miner configuration file, the miner startup script and the forged\r\nmanaRequest.cgi .\r\nUnity is the XMRig miner program\r\nQuick\r\n├── config.json\r\n├── manaRequest.cgi\r\n├── start.sh\r\n└── unity\r\n2. unity_install.sh\r\nCore functions:\r\nCheck if unity process exists, kill if it exists\r\nCheck the CPU architecture of the device and download the mining kit for the corresponding architecture,\r\ncurrently it only supports ARM64 and AMD64\r\nSet the mining parameters in config.json based on the number of CPU cores, the program makes sure it\r\nonly uses half of the cores for mining.\r\nUnpack the mining program, set cron and execute the mining script start.sh (once every minute, time\r\ninterval is set directly to * * * * * * )\r\n3. start.sh\r\nCore function:\r\nhttps://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/\r\nPage 4 of 6\n\nChecking for unity process and starting it if it does not exist.\r\nRename the system file /home/httpd/cgi-bin/management/manaRequest.cgi to manaRequests.cgi (this\r\nfile is responsible for viewing and modifying the system information of the device)\r\nCopy the manaRequest.cgi file from Quick.tar.gz to the /home/httpd/cgi-bin/management/\r\ndirectory, replacing the system's own file with the same name.\r\n4. config.json\r\nThe group uses its own Pool(Proxy), so the real XMR Wallet cannot be seen. There are 3 groups of mining\r\nconfigurations, user are \"xmr2\", pass are \"x\", Pool(Proxy) are as follows.\r\naquamangts.tk:12933\r\na.aquamangts.tk:12933\r\nb.aquamangts.tk:12933\r\n5. manaRequest.cgi\r\nCore function:\r\nHijack the system's original file of the same name, after receiving HTTP requests, first detect whether there\r\nis a unity mining process in the system, if not, then directly transfer the HTTP request to the system's\r\noriginal file of the same name (has been renamed to manaRequests.cgi ) to process, and then end the\r\nexecution of.\r\ncount=`ps -fe | grep unity | grep -v \"grep\"`\r\nif [ \"\" == \"$count\" ];then\r\n /home/httpd/cgi-bin/management/manaRequests.cgi\r\n exit 0\r\nfi\r\nIf the unity mining process exists on the system, after forwarding the HTTP request to the system's original\r\nfile of the same name for execution, log the results of the execution (to the .log.log file) and then\r\ntamper with the execution results by\r\n1. Subtract 50 from the CPU status data\r\n2. Delete the unity process information from the execution result\r\nSo when the user suspects something going on with the device and checks the usage, he will see pretty normal\r\nCPU usage and tempc, and all the system processes will look normal.\r\nSuggestions\r\nQNAP NAS users should check and update their firmware promptly.\r\nWe recommend that readers monitor and block relevant IPs and URLs mentioned in this blog.\r\nhttps://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/\r\nPage 5 of 6\n\nContact us\r\nReaders are always welcomed to reach us on twitter, or email to netlab at 360\r\ndot cn.\r\nIoC\r\nIP:\r\n210.201.136.170 Taiwan ASN9311 HITRON TECHNOLOGY INC.\r\nMiner Proxy:\r\naquamangts.tk:12933\r\na.aquamangts.tk:12933\r\nb.aquamangts.tk:12933\r\nURL:\r\nhttp://c.aquamangts.tk:8080/QFS/install/unity_install.sh\r\nhttp://c.aquamangts.tk:8080/QFS/arm64/Quick.tar.gz\r\nhttp://c.aquamangts.tk:8080/QFS/amd64/Quick.tar.gz\r\nMD5:\r\n0f40086c9e96c9c11232a9175b26c644\r\n1eb01a23a122d077540f83b005abdbfc\r\n97015323b4fd840a40a9d40d2ad4e7af\r\nSource: https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/\r\nhttps://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/" ], "report_names": [ "qnap-nas-users-make-sure-you-check-your-system" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434895, "ts_updated_at": 1775791457, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1abb9b0495af7f715143cacb2ce405463bb16b34.pdf", "text": "https://archive.orkl.eu/1abb9b0495af7f715143cacb2ce405463bb16b34.txt", "img": "https://archive.orkl.eu/1abb9b0495af7f715143cacb2ce405463bb16b34.jpg" } }