f

Hijacking Ethereum Miners

Jan 28, 2018

During 2017, public attention turned to the money-crazed frenzy surrounding Bitcoin. Browser-based cryptocurrency mining became a significant concern amongst many as malicious sites attempted to run JavaScript miners in the user’s browser at their expense. Successful mining of any cryptocurrency depends principally on hash rate; a metric difficult to maximise with JavaScript. This incredible surge in public attention in cryptocurrencies fueled monstrous growth in their value, incentivising evermore nefarious and ingenious ways of mining for profit.

Another emerging trend that we can expect to see accelerate in 2018 is the prolific growth and effects of botnets. As more and more, poorly secured, devices connect to the public Internet the possibilities for large-scale attacks become progressively more likely and dangerous. Botnets have been around for decades though, infecting vulnerable computers and using them to launch DDOS attacks, store illegal material, send spam emails, and more. The sheer scale of this new breed of botnet is what makes them so formidable and will prove to be a serious threat to public infrastructure.

The financial incentive to infect devices for the purposes of cryptocurrency mining is clear. Mining is typically the preserve of bespoke machines that are specifically built for their purpose and use high-end GPUs to bolster their hash rate. Infecting a network of miners of this type would, therefore, have huge monetary value to an attacker. As sophisticated miners of this type are optimised so aggressively for their purpose they will often leave parameters, assumed to be correct, unchecked leaving them open for attack.

The source code for the Mirai malware that infected IoT devices with incredible success in 2016 was released and has since been modified by many hackers for their own purposes. Satori (Japanese for Enlightenment) is one such fork. NetLab360 first identified and named the fork. Since their initial identification of devices infected with Satori, the security community was able to sinkhole the botnet and hamper further infection of devices. The threat persisted however as it was only a matter of time before further forks would be discovered in the wild.

Another variant of Satori has since emerged, aptly named Satori.Coin.Robber by NetLab360. The malware seeks to connect to devices running the Claymore Miner software used to mine the Ethereum cryptocurrency. The mining software provides a management facility through port 3333 which by default requires no authentication. This is a known issue, CVE-2017-16929, and Python source code that exploits the issue has since been disclosed.

If an unprotected miner is discovered, the Satori.Coin.Robber malware will attempt to replace the wallet address used to store mined Ether with its own wallet address. As of this writing, an account has received three payments from compromised miners, amounting to 2.796 Ether which equates to roughly $3.5K.

This vulnerability will undoubtedly be fixed however, basic security practices must still be carried out to ensure that the appropriate patches are applied and in a timely manner. In this case, compromised devices were improperly configured and were therefore vulnerable. This is an alarming fact given that the owner of the miner benefits directly from the security of their miner, and yet they have neglected it. Many services on the web do not provide such financial incentives to their owners and yet we naively expect that they are appropriately secured.