ISU has 10 servers manufactured by Taiwanese hardware company Synology, five of which were subject to the attack disclosed Tuesday.
The infected servers stored the Social Security information of nearly 30,000 students. It remains unclear whether that information was compromised.
Unprotected Synology devices all over the world are uniquely susceptible to certain types of automated malicious software, one of which is called “minerd,” a binary code that ISU Information Security Officer Andy Weisskopf found in five of the 10 Synology servers on campus.
Both the University of Iowa and the University of Northern Iowa use Synology servers. UI has 10. There is only one Synology server at UNI, which Chief Information Officer Shashi Kaparthi said is brand new and fully upgraded with all the latest patches.
The “minerd” malware found at ISU is designed to target and harness the computing power of Synology devices specifically for the “mining” of a digital currency called bitcoin. The bug slows all Internet traffic over the servers to a crawl, which Weisskopf said was his first indication something was wrong.
Synology identified the weakness in its systems late last year, and released a software patch for the problem Feb. 14.
Weisskopf said the ISU servers were upgraded shortly after, but the breach wasn’t resolved until later due to a defense mechanism built into the malware.
“Part of the rootkit that was installed on these boxes interfered with the patching process, so we had to go back and make manual patches after we discovered that they had been compromised,” Weisskopf said. “It was smart enough to protect itself.”
The five infected Synology servers at ISU have been removed and destroyed. The five uninfected ones have been taken offline, and the school is looking for replacements.
It’s unclear if the 10 Synology servers at UI have been upgraded with the Feb. 14 patch. Steve Fleagle, UI’s chief information officer, said the servers do not contain sensitive information.
“We work with campus users to keep all IT devices up to date with current software, and as a result of the recent ISU breach we are double checking all the Synology devices to make sure they have the latest software,” Fleagle said.
The chink in Synology’s armor was identified by Johannes B. Ullrich of the SANS Technology Institute earlier this month. Ullrich first observed the malware scanning for vulnerable Synology devices in the small DVR computers of networked surveillance cameras, and later in an Internet router.
He elaborated in an email to the Courier, noting a software patch may not be the end of Synology’s troubles.
“If a Synology device is exposed to the Internet, an attacker may be able to guess the password,” Ullrich said. “In this case, the attacker would gain full access to a system even after it has been patched.”
Malware packages like “minerd” invade digital systems and enslave their computing power into a loose network of other infected devices called a botnet.
Given the automated nature of the attack, Weisskopf said, it is possible ISU’s servers were indeed conscripted into a larger botnet, in this case built for the purpose of boosting a bitcoin miner’s operation.
Bitcoin mining is a complicated, competitive and potentially lucrative practice. According to bitcoinexchangerate.org, a single bitcoin in today’s marketplace is worth roughly $487 in U.S. currency.
To generate bitcoins requires an enormous amount of computing power. This can be done by legitimate or illegitimate means, the ISU breach being an example of the latter.
It’s unclear if any bitcoins were generated in the hack of ISU’s Synology servers.
“These aren’t very powerful boxes, so I’m not sure how effective they would have been at bitcoin mining,” Weisskopf said. “At least not individually. If you aggregate together thousands and thousands of these across the Internet, you probably start to get somewhere.”
Finding the attacker will likely be difficult. Malicious codes like minerd can easily be downloaded online and deployed with minimal knowledge from most desktop computers, according to Ullrich.
Weisskopf said he and other IT specialists in partnership with law enforcement have been combing through the infected servers’ traffic logs in search of anything out of the ordinary. They have yet to identify the origin of the attack. Since the servers were connected to the Internet, it could have come from anywhere.
Weisskopf said ISU has contacted the Federal Bureau of Investigations about the hack. If the hacker is found, it will raise some interesting legal and proprietary questions. For instance, if ISU’s servers successfully generated bitcoins as a result of the attack, who would it legally belong to?
“I don’t know what we’d do then,” Weisskopf said. “Maybe we get the FBI to go confiscate our bitcoin for us.”
©2014 Waterloo-Cedar Falls Courier (Waterloo, Iowa)
