Hacker mines $620K in cryptocurrency under victims' noses

A German hacker generated more than $620,000 in cryptocurrency after hijacking an unknown number of network storage devices and turning them into digital slaves to mine Dogecoin, researchers said today.

"This wasn't unique, we've seen other malware install [cryptocurrency] miners, but we haven't seen anything this big before," said Pat Litke, a researcher at Dell SecureWorks' Counter Threat Unit (CTU). "That was mostly due to the infection vector. He could just walk in the door."

Litke and David Shear, a network security analyst also with SecureWorks, were referring to vulnerabilities in network-attached storage (NAS) systems manufactured by Taiwan-based Synology that the hacker exploited before planting a customized cryptocurrency miner on the devices.

Synology had issued patches for the vulnerabilities shortly after the flaws were made public last September; the hacked NAS systems had not been updated with the fixes.

Unpatched NAS devices were found and exploited, and then their computing and graphical horsepower -- the boxes were computers in all but name -- were set to work generating Dogecoins, an alternative to the better known Bitcoin. Within months, the hacker's network of compromised devices mined over 500 Million Doge, or just over $620,000, Litke said.

Hackers have long targeted cryptocurrency with specialized malware, but almost all of their efforts have targeted existing digital money, primarily Bitcoins, stored in virtual "wallets." In February, Litke and Joe Stewart, director of SecureWorks' malware research, presented their findings on the rapid increase in cryptocurrency-stealing malware at the RSA Conference.

Planting malware to actually create digital funds, however, is a relatively new development, said Litke, and the evidence they collected on the Synology NAS-hijacking showed how lucrative the practice can be. That bodes ill.

"It will become fairly commonplace, even as an afterthought, for [cyber criminals] to add malware miners [to their payloads]," said Shear, who expects other cyber criminals to quickly adopt the strategy. "We're kind of already there. With a big enough botnet, and we're talking big, they could out-hash anyone."

SecureWorks also dug up some other interesting elements of the NAS hijack, including the native language of the hacker (or hackers), and the fact that the mining of Dogecoins couldn't have been exclusively from the compromised storage devices.

The username the firm's researchers found in the malware's configuration file led them to other digital bits, including a Github account, while multiple hacker forums showed that the hacker communicated exclusively in German.

And the Synology NAS systems weren't the only devices mining for ill-gotten gains, said Litke. "It had to be more than just the NAS boxes," he said, citing tests he and Shear had done on a Synology system to determine how efficient it was in creating Dogecoins. Combining that with other clues they uncovered, they determined that the NAS devices had to have had help, probably from hijacked PCs.

"It's not feasible that the NAS boxes did this alone," Litke concluded. "That means there was other hashing power at play. But what those were, how many there were, how many boxes there were, we can't tell."

Although the Synology devices came to the attention of SecureWorks because users reported that their systems were consuming a high number of CPU cycles, attackers could easily modify their code to be more surreptitious, making it harder for victims to notice that their machines, PCs or otherwise, were secretly working on someone else's behalf.

"We've seen malware that can detect when the system is being used, and then throttle back," said Litke. "Then when the device becomes idle again, the malware throttles up."

That kind of behavior has long been used by legitimate software, including projects that rely on the collective power of large numbers of PCs to do heavy computational lifting. The SETI@home initiative, for example, has used more than a million PCs -- whose owners have opted in by downloading and installing a small program -- to analyze radio telescope data in the search for signs of extraterrestrial intelligence. That software would engage only when the host system was idle.

SecureWorks has published more information about the Synology NAS hijacking on its website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.