A German hacker generated more than $620,000 in cryptocurrency after hijacking an unknown number of network storage devices and turning them into digital slaves to mine Dogecoin, researchers said today.
"This wasn't unique, we've seen other malware install [cryptocurrency] miners, but we haven't seen anything this big before," said Pat Litke, a researcher at Dell SecureWorks' Counter Threat Unit (CTU). "That was mostly due to the infection vector. He could just walk in the door."
Litke and David Shear, a network security analyst also with SecureWorks, were referring to vulnerabilities in network-attached storage (NAS) systems manufactured by Taiwan-based Synology that the hacker exploited before planting a customized cryptocurrency miner on the devices.
Synology had issued patches for the vulnerabilities shortly after the flaws were made public last September; the hacked NAS systems had not been updated with the fixes.
Unpatched NAS devices were found and exploited, and then their computing and graphical horsepower -- the boxes were computers in all but name -- were set to work generating Dogecoins, an alternative to the better known Bitcoin. Within months, the hacker's network of compromised devices mined over 500 Million Doge, or just over $620,000, Litke said.
Hackers have long targeted cryptocurrency with specialized malware, but almost all of their efforts have targeted existing digital money, primarily Bitcoins, stored in virtual "wallets." In February, Litke and Joe Stewart, director of SecureWorks' malware research, presented their findings on the rapid increase in cryptocurrency-stealing malware at the RSA Conference.
Planting malware to actually create digital funds, however, is a relatively new development, said Litke, and the evidence they collected on the Synology NAS-hijacking showed how lucrative the practice can be. That bodes ill.
"It will become fairly commonplace, even as an afterthought, for [cyber criminals] to add malware miners [to their payloads]," said Shear, who expects other cyber criminals to quickly adopt the strategy. "We're kind of already there. With a big enough botnet, and we're talking big, they could out-hash anyone."
SecureWorks also dug up some other interesting elements of the NAS hijack, including the native language of the hacker (or hackers), and the fact that the mining of Dogecoins couldn't have been exclusively from the compromised storage devices.
The username the firm's researchers found in the malware's configuration file led them to other digital bits, including a Github account, while multiple hacker forums showed that the hacker communicated exclusively in German.
And the Synology NAS systems weren't the only devices mining for ill-gotten gains, said Litke. "It had to be more than just the NAS boxes," he said, citing tests he and Shear had done on a Synology system to determine how efficient it was in creating Dogecoins. Combining that with other clues they uncovered, they determined that the NAS devices had to have had help, probably from hijacked PCs.
Sign up for CIO Asia eNewsletters.