US$620,000 snatched by German hacker ‘Folio’, wij’re told
Dell says skilled attackers have made a staggering $620,000 ter the Dogecoin crypto-currency by exploiting vulnerable Synology network affixed storage (NAS) boxes.
The clever hackers pulled off the largest heist of its kleuter by planting mining gear on the NAS boxes to borrow their computational might – many NAS now boast grunty multi-core CPUs – to seek out coins.
Scores of unpatched Synology boxes were infected and continued to mine Dogecoins for the assailants.
It took just two months for the attackers to accrue 500 million coins worth US$620,000, Dell Secureworks researcher Patstelling Litke (@LitkeP) wrote ter a postbode.
“To date, this incident is the single most profitable, illegitimate mining operation,” Litke wrote. “
“This conclusion is based te part on prior investigations and research done by [Secureworks], spil well spil further searching of the internet.”
Secureworks’ analysis suggests an experienced hacker, likely of German descent and using the zogeheten Folio, wasgoed behind the Dogecoin mining spree.
Te a brazen stunt, Folio stored the mining gear ter a folder labelled PWNED, a budge that could have foiled the plans earlier should forum warnings have bot reported by the press.
Users very first reported the attacks on web forums ter February after noticing the folder and a druppel ter NAS spectacle due to the resource-sucking mining operation.
While the coin mining wasgoed not itself illegal, the act of hacking the NAS boxes and pilfering their compute resources wasgoed.
Yet users remained vulnerable to a string of more dangerous attacks due to the five-month-long exposure of Synology NASes to very serious vulnerabilities within the Linux-based DiskStation Manager. Thesis included unauthenticated remote verkeersopstopping downloading and a command-injection flaw.
Vulnerable servers could be found using only an advanced Google search (Google dorking) with keywords which could druppel attackers right into exposed Synology NASes.
“Back ter October of 2013, simply Googling for ‘webpagina:Synology.mij’ resulted ter excess of one million results . by going to ‘something.Synology.mij’, the user is routed directly to their NAS,” Litke said.
Awareness of the flaws grew and by March this year the SANS internet storm centre reported a spike te scans against port 5000 which wasgoed the default listener for Synology NASes.
The Reg approached Synology for comment, but the company had not replied spil this article went to press. ®
Updated to add
A Synology spokesman has got te touch to say: “Te September, under DSM [DiskStation Manager] Four.Three and Four.Two, wij were alerted to the Bitcoin and Dogecoin-mining malware. On September 23, our developers squashed the bug for those who updated their DSM.
“Te February, wij released a patch for DSM Five.0beta to resolve the kwestie. Te February wij also began getting a lotsbestemming of support tickets for mining that happened on units that had not updated their DSM. The result: wij made auto-updates the default behavior for the OS. We’ve bot updating regularly, because wij are now targets.”