The rising value of cryptocurrency has undeniably lured hordes of people towards investing in the risky asset class, with the technically-informed going one step ahead to set up their own “mining rigs.” Hackers are not far behind, however, and often infiltrate computing systems to mine cryptocurrencies for themselves.
After Browser Mining, Hackers Target Miner Rigs
In a bid to greatly increase their deceitfully attained cryptocurrency holdings, hackers have targeted Ethereum miners worldwide. Understandably, taking over miners is a significant economic advantage for hackers, over computers, due to the former’s higher processing power.
According to a report on Bleeping Computers, multiple cyber-security researchers discovered an Ethereum-miner scanning Satori botnet on May 12, 2018. The report included several pieces of evidence indicating tens of thousands of IoT devices fell victim to the mass-attack.
Using a port 3333 exploit, the hackers were able to control a victim’s mining rig remotely. This specific port allows miners to manage their equipment remotely. On May 11, 2018, Netlab researchers linked the port exploits to Satori botnet and cautioned people via Twitter, stating:
Do you see port 3333 scan traffic going up? Satori botnet is scanning it now, see our Scanmon trend https://t.co/TyrL4ryt6J, and try a dns lookup for one of the control domain it is using now, dig any https://t.co/DM4JTtXFo3, I personally like yesterday's TXT result more pic.twitter.com/xXUjwjZNdD
— 360 Netlab (@360Netlab) May 11, 2018
Soon after on May 12, 2018, London-based GreyNoise Intelligence released their research, revealing that only Claymore’s Ethereum miners were affected, clearing concerns about the extent of affected miners. As firm proved, miners running any other software were not affected.
GreyNoise observed a large spike of TCP port 3333 scan traffic today. This is the default port for the "Claymore" dual Ethereum/Decred cryptocurrency miner. pic.twitter.com/5g6vVbPLNq
— GreyNoise Intelligence (@GreyNoiseIO) May 11, 2018
Claymore a Widely Popular Mining Software
he choice of mining software hackers targeted was a well thought-out decision, as the Claymore dual mining software is used by individuals and enterprises alike, to mine cryptocurrencies like ether (ETH) and Decred simultaneously.
As stated by GreyNoise:
“Once the attacker identifies a server running the Claymore software they push instructions to reconfigure the device to join the ‘dwarfpool’ mining pool and use the attacker’s ETH wallet.”
Due to this, hackers were able to extract all profits from the miner’s wallets to their wallets. However, an experienced miner could notice the fallacy and instantly rectify the issue.
Mexican IP Addresses Tracked Down as Attack Origin
After a further investigation, GreyNoise traced the attack’s origin to specific IP addresses, all of which originated from Mexico. A few days before the botnet attacks, these very addresses were reported as fraudulently accessed, and this was presumably done to allow the botnets to take control of GPON routers. Netlab confirmed the claim:
“The source of this [port 3333] scan is about 17k independent IP addresses, mainly from Uninet SA de CV, telmex.com, located in Mexico.”
The news spread quickly via forums and social media, and users promptly joined in the search for the attackers. A researcher from the Internet Storm Center, Johannes Ullrich, found out specific details on the affected program and found out that Nanopool version of the Claymore software was used to exploit the network.
At the time of writing, the number of affected mining rigs remains unknown.