Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hacker Builds Massive Dogecoin Mining Operation With Synology NAS Boxes

Researchers at Dell SecureWorks have uncovered a massive Dogecoin mining operation using Synology Network Attached Storage (NAS) boxes.

Researchers at Dell SecureWorks have uncovered a massive Dogecoin mining operation using Synology Network Attached Storage (NAS) boxes.

The operation is believed to have netted a hacker more than $600,000 in the past two months. The situation came to light in February when users began reporting their Synology Network Attached Storage devices were performing poorly and had a high CPU usage. Eventually, an investigation revealed the situation was being caused by malware that had infected the systems.

In a comedic twist, the malware was stored in a folder named ‘PWNED.’

“To date, this incident is the single most profitable, illegitimate mining operation,” blogged Dell SecureWorks’ Counter Threat Unit researchers David Shear and Pat Litke. “This conclusion is based in part on prior investigations and research done by the Counter Threat Unit, as well as further searching of the Internet. As cryptocurrencies continue to gain momentum, their popularity as a target for various malware will continue to rise.”

According to the researchers, a hacker took advantage of vulnerabilities in the DiskStation Manager (DSM), a custom Linux-based operating system for Synology NAS systems. The vulnerabilities allowed the attacker to breach the system and get administrative privileges.

“Andrea Fabrizi disclosed these in September of 2013,” according to Dell SecureWorks. “In his disclosure, Fabrizi detailed which versions of the DSM were affected. According to Synology, patches for the vulnerabilities were released shortly after their disclosure. They also released a patch in February 2014 to help affected users resolve any issues stemming from the vulnerabilities. Further information on the release can be found on their website.”

In their investigation, the researchers were able to track down a few leads on the source of the attacks.

“Tracking a threat actor is frequently a wild goose chase that leads down many rabbit holes,” according to Dell SecureWorks. “In this case, we started our investigation by looking at the username found in the configuration file “foilo.root3”. Scouring Google brought back several interesting results, namely the threat actor’s Github and BitBucket account. In browsing through some of the hacker’s publicly available code, it becomes quite clear that “Foilo” is not new to the world of exploitation and malware.”

“By correlating some of the strings found in other configurations posted around the net (as this breach was coming to light), coupled with his BitBucket page, the findings strongly indicate that the threat actor is of German descent,” the researchers noted. “Regardless of whom he actually is, the fact that he has been able to amass well over $600,000 USD speaks entirely for itself.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.