Researchers at Dell SecureWorks have uncovered a massive Dogecoin mining operation using Synology Network Attached Storage (NAS) boxes.
The operation is believed to have netted a hacker more than $600,000 in the past two months. The situation came to light in February when users began reporting their Synology Network Attached Storage devices were performing poorly and had a high CPU usage. Eventually, an investigation revealed the situation was being caused by malware that had infected the systems.
In a comedic twist, the malware was stored in a folder named ‘PWNED.’
“To date, this incident is the single most profitable, illegitimate mining operation,” blogged Dell SecureWorks’ Counter Threat Unit researchers David Shear and Pat Litke. “This conclusion is based in part on prior investigations and research done by the Counter Threat Unit, as well as further searching of the Internet. As cryptocurrencies continue to gain momentum, their popularity as a target for various malware will continue to rise.”
According to the researchers, a hacker took advantage of vulnerabilities in the DiskStation Manager (DSM), a custom Linux-based operating system for Synology NAS systems. The vulnerabilities allowed the attacker to breach the system and get administrative privileges.
“Andrea Fabrizi disclosed these in September of 2013,” according to Dell SecureWorks. “In his disclosure, Fabrizi detailed which versions of the DSM were affected. According to Synology, patches for the vulnerabilities were released shortly after their disclosure. They also released a patch in February 2014 to help affected users resolve any issues stemming from the vulnerabilities. Further information on the release can be found on their website.”
In their investigation, the researchers were able to track down a few leads on the source of the attacks.
“Tracking a threat actor is frequently a wild goose chase that leads down many rabbit holes,” according to Dell SecureWorks. “In this case, we started our investigation by looking at the username found in the configuration file “foilo.root3”. Scouring Google brought back several interesting results, namely the threat actor’s Github and BitBucket account. In browsing through some of the hacker’s publicly available code, it becomes quite clear that “Foilo” is not new to the world of exploitation and malware.”
“By correlating some of the strings found in other configurations posted around the net (as this breach was coming to light), coupled with his BitBucket page, the findings strongly indicate that the threat actor is of German descent,” the researchers noted. “Regardless of whom he actually is, the fact that he has been able to amass well over $600,000 USD speaks entirely for itself.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Ferrari Says Ransomware Attack Exposed Customer Data
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
