A hacker, well-versed in malware and exploit development, took advantage of vulnerabilities in Synology network attached storage boxes popular with home users to mine more than $600,000 worth of the digital currency Dogecoin.
Researchers Pat Litke and David Shear of Dell SecureWorks’ Counter Threat Unit published details of the attack, which exploited four vulnerabilities in the Synology boxes’ DiskStation Manager Linux-based operating system. The bugs were reported last September and patched in February.
The attacks became public on Feb. 8 when users reported poor performance and high CPU usage, Litke and Shear said.
“Ultimately, it was discovered that the cause of the excessive resource consumption was due to illegitimate software that had infected the systems, which ironically, was stored in a folder labeled ‘PWNED,’” they said.
The vulnerabilities were serious, and users were exposed for five months. Researcher Andrea Fabrizi reported the issues on Sept. 10. The bugs ranged from a remote file download issue, where authenticated users were allowed to download any file—including password files—owned by other DSM users, to a command-injection vulnerability, and two issues that led to partial remote content downloads.
Litke and Shear said that using an advanced Google search, attackers could find close to a million returns for vulnerable Synology NAS boxes and often could be directed right to the box’s file system.
Between Feb. 1 and May 9, scans for port 5000, the same port on which Synology NAS boxes listen, rose to unprecedented levels, the SANS Internet Storm Center said.
Litke and Shear, meanwhile, were able to pry open the ‘Pwned’ folder found on compromised boxes and it didn’t take them long to figure out that the hackers were mining cryptocurrency. The attacker had dropped CPUMiner malware that had been tweaked for Synology NAS hardware. The malware opened a backdoor and connected over port 8332 to a remote server, Litke and Shear said.
“This address was not known to any publicly available mining pools,” they said, “and was thus likely a private pool used by the threat actor for personal gain.”
The researchers were able to find evidence of a cryptocurrency blockchain in a code string, as well as the botmaster’s public key that matched a particular Dogecoin wallet.
“By exploring the Dogecoin block chain for this address (as well as one other), we were able to tally a total mined value of over 500 Million Doge, or roughly $620,496 USD (the bulk of which was earned in January and February of this year),” Litke and Shear wrote.
“To date, this incident is the single most profitable, illegitimate mining operation. This conclusion is based in part on prior investigations and research done by the Counter Threat Unit, as well as further searching of the Internet,” they said. “As cryptocurrencies continue to gain momentum, their popularity as a target for various malware will continue to rise.”
Given the popularity and profit potential of Bitcoin and other cryptocurrencies, it’s natural that hackers might turn their attention to illicit mining. A number of incidents have been reported, even a less than feasible venture using the CoinKrypt malware on Android devices to mine Litecoin and Dogecoin. Mobile devices don’t have the processing power and resources of desktop machines and servers, for example, making the CoinKrypt venture little more than a nuisance.