Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hacker Builds Massive Dogecoin Mining Operation With Synology NAS Boxes

Researchers at Dell SecureWorks have uncovered a massive Dogecoin mining operation using Synology Network Attached Storage (NAS) boxes.

Researchers at Dell SecureWorks have uncovered a massive Dogecoin mining operation using Synology Network Attached Storage (NAS) boxes.

The operation is believed to have netted a hacker more than $600,000 in the past two months. The situation came to light in February when users began reporting their Synology Network Attached Storage devices were performing poorly and had a high CPU usage. Eventually, an investigation revealed the situation was being caused by malware that had infected the systems.

In a comedic twist, the malware was stored in a folder named ‘PWNED.’

“To date, this incident is the single most profitable, illegitimate mining operation,” blogged Dell SecureWorks’ Counter Threat Unit researchers David Shear and Pat Litke. “This conclusion is based in part on prior investigations and research done by the Counter Threat Unit, as well as further searching of the Internet. As cryptocurrencies continue to gain momentum, their popularity as a target for various malware will continue to rise.”

According to the researchers, a hacker took advantage of vulnerabilities in the DiskStation Manager (DSM), a custom Linux-based operating system for Synology NAS systems. The vulnerabilities allowed the attacker to breach the system and get administrative privileges.

“Andrea Fabrizi disclosed these in September of 2013,” according to Dell SecureWorks. “In his disclosure, Fabrizi detailed which versions of the DSM were affected. According to Synology, patches for the vulnerabilities were released shortly after their disclosure. They also released a patch in February 2014 to help affected users resolve any issues stemming from the vulnerabilities. Further information on the release can be found on their website.”

In their investigation, the researchers were able to track down a few leads on the source of the attacks.

“Tracking a threat actor is frequently a wild goose chase that leads down many rabbit holes,” according to Dell SecureWorks. “In this case, we started our investigation by looking at the username found in the configuration file “foilo.root3”. Scouring Google brought back several interesting results, namely the threat actor’s Github and BitBucket account. In browsing through some of the hacker’s publicly available code, it becomes quite clear that “Foilo” is not new to the world of exploitation and malware.”

Advertisement. Scroll to continue reading.

“By correlating some of the strings found in other configurations posted around the net (as this breach was coming to light), coupled with his BitBucket page, the findings strongly indicate that the threat actor is of German descent,” the researchers noted. “Regardless of whom he actually is, the fact that he has been able to amass well over $600,000 USD speaks entirely for itself.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.