NAS device botnet mined $600,000 in Dogecoin over two months

Insecure NAS boxes have landed a hacker a small fortune in cryptocurrency.
Written by Liam Tung, Contributing Writer

A vulnerability in a network attached storage (NAS) system allowed hackers to establish what's thought to be the most profitable illegal cryptocurrency mining operation to date.

Why sweat your own hardware to mine cryptocurrencies when you can hijack someone else's hardware to get the job done? That's what one crafty hacker did earlier this year to generate 500 million Dogecoin — one of many Bitcoin alternatives

One of the reasons it's become a popular currency for botnet mining operations is the relative ease with which the currency can be mined, compared to Bitcoin, which requires purpose-built ASICs for mining.

It's not the first time that nefarious mining operations have been set up: scammers behind Android malware that Google yanked from the Play store earlier this year used hijacked smartphones to mine "thousands" of Dogecoin. But the Android effort was nothing compared to NAS mining network, according to a security researcher at Dell's SecureWorks, who said this illegitimately acquired mining operation is the "single most profitable" to date, earning its operator an estimated $600,000 over two months earlier this year.

The key to the entire operation were four security vulnerabilities in the Linux-based OS running on a NAS box by Taiwanese manufacturer Synology. As SecureWorks' researcher Pat Litke notes, the flaws were made public in September 2013, but while Synology issued patches for them shortly after their disclosure, the bulk of the currency was mined between January and February this year.

Synology in February released a further patch addressing issues stemming from the vulnerabilities, shortly after one user complained on Facebook about finding "PWNED processes using up all CPU" on his device.

After digging into the malware samples found in the "PWNED" folder, Litke found a miner called CPUMiner that had been compiled for Synology devices. CPUminer is a legitimate miner but it's been co-opted numerous times by hackers in illegitimate distributed mining operations.

While the hacker's identity isn't known, the researcher was able to calculate the operation's earnings after acquiring the Dogecoin wallet and finding that they've run other mining operations previously.

"By exploring the Dogecoin block chain for this address (as well as one other), we were able to tally a total mined value of over 500 million Doge, or roughly $620,496 USD (the bulk of which was earned in January and February of this year)," wrote Litke.

"Tracking a threat actor is frequently a wild goose chase that leads down many rabbit holes. In this case, we started our investigation by looking at the username found in the configuration file 'foilo.root3'. Scouring Google brought back several interesting results, namely the threat actor's Github and BitBucket account. In browsing through some of the hacker's publicly available code, it becomes quite clear that 'Foilo' is not new to the world of exploitation and malware."

Read more on security

Editorial standards