Researchers at Dell SecureWorks have uncovered a massive Dogecoin mining operation using Synology Network Attached Storage (NAS) boxes.
The operation is believed to have netted a hacker more than $600,000 in the past two months. The situation came to light in February when users began reporting their Synology Network Attached Storage devices were performing poorly and had a high CPU usage. Eventually, an investigation revealed the situation was being caused by malware that had infected the systems.
In a comedic twist, the malware was stored in a folder named ‘PWNED.’
“To date, this incident is the single most profitable, illegitimate mining operation,” blogged Dell SecureWorks’ Counter Threat Unit researchers David Shear and Pat Litke. “This conclusion is based in part on prior investigations and research done by the Counter Threat Unit, as well as further searching of the Internet. As cryptocurrencies continue to gain momentum, their popularity as a target for various malware will continue to rise.”
According to the researchers, a hacker took advantage of vulnerabilities in the DiskStation Manager (DSM), a custom Linux-based operating system for Synology NAS systems. The vulnerabilities allowed the attacker to breach the system and get administrative privileges.
“Andrea Fabrizi disclosed these in September of 2013,” according to Dell SecureWorks. “In his disclosure, Fabrizi detailed which versions of the DSM were affected. According to Synology, patches for the vulnerabilities were released shortly after their disclosure. They also released a patch in February 2014 to help affected users resolve any issues stemming from the vulnerabilities. Further information on the release can be found on their website.”
In their investigation, the researchers were able to track down a few leads on the source of the attacks.
“Tracking a threat actor is frequently a wild goose chase that leads down many rabbit holes,” according to Dell SecureWorks. “In this case, we started our investigation by looking at the username found in the configuration file “foilo.root3”. Scouring Google brought back several interesting results, namely the threat actor’s Github and BitBucket account. In browsing through some of the hacker’s publicly available code, it becomes quite clear that “Foilo” is not new to the world of exploitation and malware.”
“By correlating some of the strings found in other configurations posted around the net (as this breach was coming to light), coupled with his BitBucket page, the findings strongly indicate that the threat actor is of German descent,” the researchers noted. “Regardless of whom he actually is, the fact that he has been able to amass well over $600,000 USD speaks entirely for itself.”