FacebookTwitterLinkedIn

Hackers Hijack Ethereum Mining Equipment

Karolis Liucveikis Written by on

Hackers targeting all facets of the cryptocurrency boom is by no means a new phenomenon. On Nov 1, news broke of two separate incidents targeting cryptocurrency wallets in two different ways. Reasons for cryptocurrencies becoming one of the favored targets for hackers can be directly attributed their increasing popularity and soaring stock values. While the blockchain revolution is changing how we operate, hackers are still deploying the same methods as always to steal legitimate users cryptocurrency.

A security researcher at Romanian firm Bitdefender, Bogdan Botezatu, detected the first attacks on Monday this week when their SSH (Secure Shell) honeypots detected a bot attempting to change the system configuration to hijack funds from Ethereum mining operations. The bot was targeting an operating system optimized for Ethereum mining, called EthOS. This is a commercial operating system that can mine Ethereum, Zcash, Monero and other crypto-currencies that rely on GPU power. According to the OS’s creators, their offering is currently running on more than 38,000 mining rigs across the world. As with other specialized operating systems, it comes pre-loaded with the necessary tools and a default username and password. After deployment, the user only needs to add a wallet for mining fees and, of course, most importantly, change the default username and password.

It is this oversight of not changing the default username and password that is being exploited. The bot operates by scanning the entire IPv4 range in order to find open SSH connections. If found, it attempts to log in using the default username and password used by the EthOS operating system, that being “ethos:live” and “root:live”. If the login succeeds the bot attempts to change the existing configuration for Ethereum to hijack the mining process to the attacker’s Ethereum address (0xb4ada014279d9049707e9A51F022313290Ca1276). Since the attack campaign started the wallet displays that 11 transactions have occurred worth a total of $611 in Ether.

If users of the operating system changed the default username and password, as well as ensuring the rig is behind a firewall they are safe from this attack. It is thus advised that users ensure the username and password have been changed from the default, if not it is further advised that users check whether the miner is sending money to their wallets and not the hacker’s listed above. While hacker has only made off with just over $600, this attack is a healthy reminder as to why default usernames and passwords should always be changed.

hacker hijack etherum mining equipment

CryptoShuffler steals $150,000 worth in Bitcoin

On the day many around the globe celebrated Halloween, owners of Bitcoin may have had a few of their nightmares become reality. In a relatively simple scheme, the hackers behind what has been dubbed CryptoShuffler stole over $150,000 worth of cryptocurrency from unsuspecting users. CryptoShuffler works by the hacker infecting users with a Trojan which then sits idly on users' computers and does nothing but watch the user's clipboard and replace any string that looks like a Bitcoin wallet with the attackers' address. When the user wishes to make a payment and copy-pastes the wallet ID inside a payment field, if the user doesn't notice the new address, the hackers would receive the payment.

Researchers at Kaspersky noticed that CryptoShuffler has been active since 2016, with peak activity been reached later in that year. Again, another campaign was started in June of this year with the latest being now. Although, the scheme is simple it is effective as it requires no access to pools, no network interaction, and no suspicious processor load. In essence, this is a perfect example of a “rational gain” campaign in that the Trojan looks to remain undetected and the amounts generally stolen are not large enough to gain immediate notice by many. The attacker also looks to operate over extended periods of time choosing opportunities to start another campaign. As of yesterday CryptoShuffler's Bitcoin wallet currently holds 23.21 Bitcoin, worth over $150,000 at yesterday's (record) Bitcoin price of $6,544.

CryptoShuffler does not exclusively target Bitcoin targeted wallets for other cryptocurrencies, such as Dogecoin, Litecoin, Dash, Ethereum, Monero, and Zcash. With the other currencies registering thousands of dollars’ worth of the varying cryptocurrencies. All in all, CryptoShufler has proven itself to be one of the most successful cryptojackers to date. For example, another malware author took months scanning for vulnerable IIS servers to install a Monero miner, only to make $63,000. Making over $150,000 for some code that watches the clipboard and replaces a string is a significant return on investment.

Just two more in a long list

These two most recent cases form part of a long list of instances where hackers are targeting this potentially lucrative revenue source. The list not only includes hacks but vulnerabilities that could be exploited. Some of the vulnerabilities could easily have been prevented. For instance, in August, Dutch security researcher Victor Gevers has discovered 2,893 Bitcoin miners left exposed on the Internet with no passwords on their Telnet port. Gevers also reported that most of these exposed miners were locates in China with many of them possibly linked to the Chinese government in one form all the other. It was later reported that some of these miners were visited by hackers looking to install various kinds of malware, with some of the miners appearing to be infected by the Mirai botnet. Gevers discovered the mining network while trying to secure thousands of smart devices that were still running default Telnet credentials. The IP addresses, usernames, and passwords were leaked online via a list uploaded on Pastebin. One of the IP addresses included on that list belonged to one of the Bitcoin miners.

In April of this year, an anonymous security researcher has published details on a vulnerability named “Antbleed” which the author claims are a remote backdoor affecting Bitcoin mining equipment sold by Bitmain, the largest vendor of crypto-currency mining hardware on the market. The researcher informed Bitmain of the bug in 2016, which was ignored till the middle of 2017 when Bitmain released firmware to correct the bug.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog