A New Wave of Attacks on Ethereum Mining Rigs
Another massive campaign targeting Ethereum mining rigs has been going on for at least a week, since December 3rd, ZDNet reported, citing Troy Mursch, co-founder of Bad Packets LLC, a cybersecurity company. Attackers are scanning for devices with port 8545 exposed online - which has cost careless miners more than USD 20 million back in June this year, when the same thing happened.
The port 8545 is standard for the JSON-RPC interface of many Ethereum wallets and mining equipment. Some Ethereum software applications can be configured to expose a Remote Procedure Call (RPC), the purpose of which is to provide access to programmatic API (application programming interface) that an approved third-party service or app can query and interact or retrieve data from the original Ethereum-based service. The RPC interface can also grant access to very sensitive functions, like private keys, personal details and similar.
In theory, the interface should be only exposed locally, but some wallet apps and mining equipment enable it on all interfaces. Furthermore, this JSON-RPC interface, when enabled, also does not come with a password in default configurations and relies on users setting one. If this stays exposed on the internet, attackers can freely move funds from the victim’s address to their own.
here as well, 1st wave seen around 4pm UTC pic.twitter.com/i5dXEohYI0— ZeroBS_GmbH (@zero_B_S) December 10, 2018
Many mining rig vendors and wallet app makers have taken precautions to limit port 8545 exposure, or have removed the JSON-RPC interface altogether. The Ethereum team sent out a security advisory to all Ethereum users about the dangers of using mining equipment and Ethereum software that exposes this API interface over the Internet, recommending that users take precautions by either adding a password on the interface, or using a firewall to filter incoming traffic for port 8545.
To showcase the vulnerability of many miners, ZDNet writes that, “A quick Shodan [search engine for Internet-connected devices] search shows that nearly 4,700 devices --most of which are Geth mining equipment and Parity wallets-- are currently exposing their 8545 port.” Even though the price of the asset is reaching new lows, standing at around USD 90 as of the time of writing, this has not deterred attackers from looking for easy pickings.
As previously reported, protecting yourself from these attacks does not have to be very difficult. Tinkering with your Ethereum client should be off-limits unless you’re certain you know what you’re doing, and reading the warning notices that come with the app you’re using should be your first step. Of course, if you have a good reason to enable the RPC interface, secure it by an access control list (ACL), a firewall, or other authentication systems.