NAS Boxes “Pwned” by Crypto Currency Miner

Attacker managed to rake in over $600,000 (443,016 EUR) in digital money

  Attacker mined over 500 million dogecoins
A hacker managed to leverage vulnerabilities in the DiskStation Manager (DSM) operating system powering Synology network access storage boxes and plant a digital currency miner that earned more than $600,000 (443,016 EUR) in crypto currency.

A hacker managed to leverage vulnerabilities in the DiskStation Manager (DSM) operating system powering Synology network access storage boxes and plant a digital currency miner that earned more than $600,000 (443,016 EUR) in crypto currency.

The security flaws that allowed the hacker to gain unauthorized administrative privileges on the network access storage (NAS) boxes had been disclosed by security researcher Andrea Fabrizi back in September 2013.

NAS are devices generally intended to operate as a file server in a network that allows the sharing of files between computers.

Synology released a fix for an issue in DSM that permitted unauthorized remote reading and writing on the NAS devices in 2013 and another update that targeted the symptoms caused by the hidden crypto mining utility.

An analysis conducted by SecureWorks showed that the configuration file of the threat, placed in a folder called “PWNED,” contained plenty of parameters hinting at a crypto currency mining.

Further investigation revealed that the malware was CPUMiner, and it was modified to work on this specific type of devices.

Since mining for digital currency requires vast amounts of resources, the symptoms of the infection consisted in high CPU usage, as noted by the victims, who reported the issue to Synology representatives on Facebook.

“CPUMiner connected out to a server located at '178.254.21.142' on port 8332. This address was not known to any publically available mining pools, and was thus likely a private pool used by the threat actor for personal gain,” notes the SecureWorks report.

Digging deeper into the issue, the researchers managed to find an encoded representation of a block chain, which revealed that the objective of the attacker was not to create bitcoins, but an equivalent called Dogecoin.

Dogecoin is also a decentralized, peer-to-peer digital currency that can be used for sending money online.

The SecureWorks boffins found the attacker’s public key that corresponded to a specific Dogecoin wallet address, identified as “D9cDqmVjYXdeDjMtXSV7Z3LgiHvRZ12bPX.”

“By exploring the Dogecoin block chain for this address (as well as one other), we were able to tally a total mined value of over 500 Million Doge, or roughly $620,496 USD (the bulk of which was earned in January and February of this year),” reads their conclusion.

Checking the configuration file of the threat and looking for the discovered details online, the researchers say that there are strong indications that the bad actor in this case is of German descent and has accounts on Github and BitBucket.

Comments