Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hacker Builds Massive Dogecoin Mining Operation With Synology NAS Boxes

Researchers at Dell SecureWorks have uncovered a massive Dogecoin mining operation using Synology Network Attached Storage (NAS) boxes.

Researchers at Dell SecureWorks have uncovered a massive Dogecoin mining operation using Synology Network Attached Storage (NAS) boxes.

The operation is believed to have netted a hacker more than $600,000 in the past two months. The situation came to light in February when users began reporting their Synology Network Attached Storage devices were performing poorly and had a high CPU usage. Eventually, an investigation revealed the situation was being caused by malware that had infected the systems.

In a comedic twist, the malware was stored in a folder named ‘PWNED.’

“To date, this incident is the single most profitable, illegitimate mining operation,” blogged Dell SecureWorks’ Counter Threat Unit researchers David Shear and Pat Litke. “This conclusion is based in part on prior investigations and research done by the Counter Threat Unit, as well as further searching of the Internet. As cryptocurrencies continue to gain momentum, their popularity as a target for various malware will continue to rise.”

According to the researchers, a hacker took advantage of vulnerabilities in the DiskStation Manager (DSM), a custom Linux-based operating system for Synology NAS systems. The vulnerabilities allowed the attacker to breach the system and get administrative privileges.

“Andrea Fabrizi disclosed these in September of 2013,” according to Dell SecureWorks. “In his disclosure, Fabrizi detailed which versions of the DSM were affected. According to Synology, patches for the vulnerabilities were released shortly after their disclosure. They also released a patch in February 2014 to help affected users resolve any issues stemming from the vulnerabilities. Further information on the release can be found on their website.”

In their investigation, the researchers were able to track down a few leads on the source of the attacks.

“Tracking a threat actor is frequently a wild goose chase that leads down many rabbit holes,” according to Dell SecureWorks. “In this case, we started our investigation by looking at the username found in the configuration file “foilo.root3”. Scouring Google brought back several interesting results, namely the threat actor’s Github and BitBucket account. In browsing through some of the hacker’s publicly available code, it becomes quite clear that “Foilo” is not new to the world of exploitation and malware.”

Advertisement. Scroll to continue reading.

“By correlating some of the strings found in other configurations posted around the net (as this breach was coming to light), coupled with his BitBucket page, the findings strongly indicate that the threat actor is of German descent,” the researchers noted. “Regardless of whom he actually is, the fact that he has been able to amass well over $600,000 USD speaks entirely for itself.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.