Watchout! Satori Botnet Targets Exposed Ethereum Miners
Yesterday, BleepingComputer brought to light recent reports that have Ethereum miners worried, as enslaved internet-connected devices have been targeting miners worldwide.
Evidence filed by multiple internet security companies have shown that the Satori botnet, a system of IoT devices which number in the tens of thousands, has been trying to infiltrate Ethereum miners through a 3333 port exploit.
This specific port has often been a way in which miners can remotely control their mining equipment, a common practice with many miners today. However, the remote access characteristic of this port makes it a perfect attack for malicious hackers looking to make a quick buck.
Security researchers from Netlab, have found that the scans for exposed 3333 ports started on 11th of May and have tied some of the activity to the aforementioned Satori botnet.
Do you see port 3333 scan traffic going up? Satori botnet is scanning it now, see our Scanmon trend https://t.co/TyrL4ryt6J, and try a dns lookup for one of the control domain it is using now, dig any https://t.co/DM4JTtXFo3, I personally like yesterday's TXT result more pic.twitter.com/xXUjwjZNdD
— 360 Netlab (@360Netlab) May 11, 2018
When Netlab released this announcement on Twitter, not much was known about this rise in this malicious activity.
The next day, GreyNoise, another internet security firm, cleared the waters regarding the issue, stating that the botnets were looking for an exploit specifically for the Claymore Ethereum miner.
The Claymore Dual miner, which mines Ethereum and Decred simultaneously, is one of the most popular pieces of mining software for retail and corporate miners alike. Although there are no clear numbers on the issue, it would be safe to assume that many Ethereum miners use Claymore as their mining software of choice. The heavy use of Claymore sadly means more targets for the malicious botnet attacks.
Once the attacker identifies a server running the Claymore software they push instructions to reconfigure the device to join the ‘dwarfpool’ mining pool and use the attacker’s ETH wallet
This system of attack can effectively move all mining profits from the miner’s wallet to the attacker’s until the miner notices and corrects the issue.
GreyNoise made further discoveries, stating that the scans originated from certain Mexican IP addresses, who came under attack a few days ago. The attack on these IP addresses allowed for the botnets to take control of GPON routers.
Considering the evidence shown, it seems that these newly hacked routers were used to search for openings on computers running the Claymore miner, so the malicious hackers at the other end could mine Ethereum for themselves.
Netlab, the other security company mentioned earlier, confirmed this claim, stating that “The source of this [port 3333] scan is about 17k independent IP addresses, mainly from Uninet SA de CV, telmex.com, located in Mexico.”
As news spread about this event, more users began to look into the details of the debacle and a researcher from the Internet Storm Center found specifics on the program affected. The researcher, Johannes B. Ullrich, confirmed that the Claymore miner was affected but specifically pointed out an exploit in the Nanopool version of the program.
At this moment, it is unclear how many miners – if any – were affected by this vulnerability, but there is a chance that there are some miners out there right now, who do not know who they are mining for.
For all of its positive aspects, the cryptocurrency industry is not always the most forgiving space, with hacks and scams being extremely prevalent in the dark corners of the industry. Business Insider reported in April on how “bad actors” in the cryptocurrency community have stolen or scammed $670 million worth of cryptocurrencies since the beginning of the year. Imagine what that would amount to over the course of a few years. That is why it should be of the utmost importance to take the proper precautions when getting involved in the industry.
Have you or anybody you know been affected by this exploit or any other hacks or scams in cryptocurrency industry? Do you think that events like this are making the cryptocurrency community worse?
Images Courtesy of Shutterstock