Posted on December 11, 2018 at 4:35 PM
According to new reports, hackers seem to have started a massive campaign that focuses on Ethereum wallets and mining rigs that are left exposed on the internet. The campaign has been scanning the web for any sign of exposed Ethereum equipment for over a week, starting originally on Monday, December 3rd.
According to Bad Packets LLC co-founder, Troy Mursch, attackers are searching for devices that have vulnerable port 8545. This is a port that a lot of mining equipment and wallets use for searching for funds and mining-related data. This is done via a programmatic interface JSON-RPC, which is, theoretically, only exposed locally.
However, it appears that some mining equipment and wallets enable it on all interfaces, which means that the port is entirely unprotected, as the interface doesn’t come with a password set by default. Instead, users are responsible for creating one, which is something that a lot of them fail to do.
The vulnerability is an old problem
If the port is left exposed, and attackers detect it, they can send a number of commands to the interface and request that funds are removed from the address of the victim. While this is a rather serious issue, it is nothing new, as it was discovered back in August 2015, when Ethereum notified its users about this danger. On the occasion, users were recommended to take proper precautions, such as adding strong passwords or protecting themselves by filtering traffic via a firewall.
When it comes to wallet makers, a lot of them did keep the exposure of this port in mind and have even removed JSON-RPC interface completely. However, as this was a personal choice of each project and not a norm on the industry level, there are also many wallets that remain exposed.
Despite the Ethereum team’s warnings, many users failed to protect their devices and wallets. The large majority is also believed to be completely unaware of it. Back in 2015, Ethereum was still a new and small coin, and this was not such a big issue. However, in years since then, ETH grew, and the number of scans and hacking attacks followed. Scanning for this single port has been reported numerous times all around the world, even in the last 12 months.
Hackers are trying to make a profit while ETH still has value
According to China-based cybersecurity company called Qihoo 360 Netlab, one group that was noticed scanning for the port ended up stealing over $20 million in Ethereum. All of the scans have one thing in common, and that is that they occur whenever Ethereum price grows. The current scan, however, is an obvious exception, as ETH value is dropping, and is currently only $88 per coin.
Because of this, researchers believe that hackers are aiming to get as much as possible from Ethereum before its price drops further down.
After a Shodan search, researchers have established that there are around 4,700 exposed devices and wallets. Not only that but exploiting them is easy, as there are even free tools that can be used for doing so. And, while Ethereum exchange rate is down, the coin is still far from being worthless. As such, it will be targeted, and anyone who has failed to protect their mining gear and Ethereum wallet so far is advised to do so as soon as possible.