If you have a device that connects to the internet on a regular basis, patch it. That’s the big-picture takeaway from today’s news of a hacker who convinced Synology DiskStations (a type of network-attached storage device) to mine more than 500 million Dogecoins for him — and made out with an estimated $620,000 in cash in the process. Much of the focus has been on the size of his haul, which may represent the largest sum of cash ever mined by unwitting dupes, but Synology got in touch with us to point out that hey — they actually patched the hole used by the hacker quite some time ago.
Synology was warned that this particular flaw existed on DiskStation Manager (DSM) 4.2 and 4.3 boxes and patched it on September 23. It sent out an update informing users of the need to update their hardware. In February, they released a patch to fix the same bug in the beta version of the DSM 5.0 OS. Since February, the company has seen a huge spike in reports and service tickets, again, primarily from users who haven’t updated their software.
Synology confirms that they’re working with Dell to make certain they fully understand the issues and have made auto-OS updates the default DiskStation behavior to keep users from being reinfected. Company spokesperson Thadd Well told ExtremeTech that “All of this old news was the recent product of one of Dell’s research firms. We are every bit as concerned as Dell; and just like them have been on top of these and other long-gone issues. The security of our customers data is sincerely, of the utmost importance to us.”
The hack itself has been traced to an individual with the online name “Foilo” with an interest in cryptocurrencies and security exploits. Right now, the Dell research team that first broke the story is assuming that he actually hacked a variety of devices. Even thousands of NAS boxes, which aren’t particularly high-powered, aren’t enough to have mined that many Dogecoins at current exchange rates. There’s no word on whether any Synology NASes were damaged by running flat-out for weeks or months on end, or if the company will replace them. This is one of the ugly gray areas of modern computing — if a company issues a patch, but customers aren’t aware of it, who bears responsibility for a data breach?
Author: Joel Hruska