$600,000 in Dogecoin Lifted From Server with NAS Hack

Earlier this week roughly $600,000 in Dogecoin (a popular alternative to Bitcoin which first arose out of a meme from the news aggregation website Reddit), was illegitimately mined in an underground cryptocurrency hashing operation which spanned hundred of different computers from all over the globe.


Photo: Dogecoin.com

The hackers were able to break into so many different machines at once by using the network attached storage system, or NAS, and successfully lifted out the largest cache of cryptocurrency cash to date.

Dogecoin first gained traction due to its comparatively simple mining process, which can be run on almost any kind of machine or device you can think of, opposed to Bitcoin which requires cards and processors that are custom-built to keep the operation running and profitable.

This isn’t the only instance of this type of crack we’ve seen before either, with several different Android mining botnets being compromised in just the past year alone. Google has been vigilant in their efforts to thin out the massive herds of malware-laced apps currently plaguing all four corners of their Play Store, likely because many of these programs that eventually find their way onto users phones are designed to utilize any unspent memory or CPU from a mobile device to mine cryptocurrency, and then siphon it back to a command server back at the hacker’s home base.

An analyst from Dell’s SecureWorks verified the attack and dubbed it the “single most profitable ever”, easily eclipsing anything that the more prolific Bitcoin has lost in one go and showing that just because there’s fruit hanging on the lowest part of the tree doesn’t mean you should always be the first one to grab for it.

By exploiting a vulnerability found in NAS boxes running a Linux-based OS made by Taiwanese manufacturer Synology, the hackers (who remain at large) were able to backdoor countless systems at once by hunting down un-patched machines and targeting them with trawlers normally reserved for creating and expanding botnets.

As SecureWorks’ researcher Pat Litke notes, the flaws were made public in September 2013, but while Synology issued patches for them shortly after their disclosure, the bulk of the currency was mined between January and February this year.

“By exploring the Dogecoin block chain for this address (as well as one other), we were able to tally a total mined value of over 500 million Doge, or roughly $620,496 USD (the bulk of which was earned in January and February of this year),” wrote Litke.

“Tracking a threat actor is frequently a wild goose chase that leads down many rabbit holes. In this case, we started our investigation by looking at the username found in the configuration file ‘foilo.root3’. Scouring Google brought back several interesting results, namely the threat actor’s Github and BitBucket account. In browsing through some of the hacker’s publicly available code, it becomes quite clear that ‘Foilo’ is not new to the world of exploitation and malware.”