The hole seems to have been in the Photo Station app, so upgrade that one ASAP!
More info:
https://www.qnap.com/en/support/con_show.php?cid=116
(note to editor: there is a direct link from that advisory list, it is in the right-most column)
QNAP has issued a critical-rated warning for devices running its QTS operating system. According to the Friday advisory (second in this list, no direct link), malware has been discovered on devices that downloads and installs a vulnerable version of the firmware, QTS 4.2.5. The advisory doesn't identify the bugs the attack …
If you expose its WWW side to the net...
The hole was in their Photo Station app, which has a web interface. That's where they got in.
The malware was a bitcoin miner (AFAIK, maybe there were others?), and they have a malware remover app that they update whenever they know about nasties targeting their NAS models.
Users should check whether their firmware has been changed to 4.2.5, and if so, run the company's malware remover (version 2.1.2), and install QTS 4.3.3 if the device supports it; if not, users should install the latest official 4.2.5 release.
Run that past me once more QNAP. If it's on a vulnerable version then update it if possible else download the latest copy of the vulnerable version? i.e. your box is now fucked. I think they need to patch boxes that cannot run 4.3.n
So what's to stop them loading a "patched" version of any other version of the firmware? I'm assuming 4.2.5 was the latest available when they figured it out. How did the original infection occur as a previous poster stated?
There's clearly something we're not being told about the vulnerability of these systems and their firmware.
QNAP are not the most upfront organisation. They repeatedly insisted I was using an incompatible UPS when the system sent a powerout signal to the UPS on power loss. I was forced to by another model in the same series of UPS (where the only difference was the battery size, no other difference) that was on the supported list. This also failed. They told me I'd bought a defective UPS. The UPS manufacturer got involved and low-and-behold a patch was issued to the firmware. No mention of UPS fixes in it but the problem went away. Blame-shifting deceitful bastards as far as I'm concerned.