Hackers stole over $20 million from misconfigured Ethereum customers

The Chinese cybersecurity firm Qihoo 360 Netlab reported today that a group of hackers has stolen more than $20 million in Ethereum from Ethereum-based applications and mining platforms.

Hackers stole over $20 million from misconfigured Ethereum customers, Hackers stole over $20 million from misconfigured Ethereum customers, Optocrypto

These thefts are caused by Ethereum software applications that have been configured to expose an RPC[Remote Procedure Call] interface on port 8545.

The purpose of this interface is to provide access to a programmatic API so that an approved third-party service or application can query and interact with or retrieve data from the original Ethereum service, such as a purse application that users or businesses have established to mine or manage their funds.

Because of its function, this RPC interface gives access to some rather sensitive functions, allowing a third-party application the ability to recover private keys, move funds, or recover the owner’s personal data.

As such, this interface is disabled by default in most applications and is often accompanied by a warning from the developers of the original application not to enable it unless it is secured by an access control list (ACL), firewall, or other authentication systems.

Almost all software based on Ethereum comes with an RPC interface today, and in most cases, even when turned on, they are properly configured to listen to requests only through the local interface (127.0.0.0.1), i.e. from applications running on the same machine as the original mining application/purse that exposes the RPC interface.

Some users do not want to read the documentation

But over the years, developers have been known to play with their Ethereum applications, sometimes without knowing what they are doing.

This is not a new problem. Months after its launch, the Ethereum Project sent an official security alert to warn that some of the users of get Ethereum’s software were running mining platforms with this interface open to remote connections, allowing attackers to steal their funds.

But despite the warning from Ethereum’s official developers, users have continued to misconfigure their Ethereum customers over the years, and many have reported that they lost funds out of nowhere, but then traced back to exposed RPC interfaces.

Analysis of exposed interfaces intensified last year

The scans of these ports have been going on quietly for years, but with kryptonite prices growing at record levels in 2017, several groups of hackers have joined the fold in search of easy money that is exposed online.

One of the highest peaks in scanning activity was last year, in November, when a person started a massive Internet-wide scan for the Ethereum JSON RPC endpoints.

Those scans were successful, as the hacker soon identified that a version of the Electrum Wallet application was being sent with its JSON RPC enabled by default, allowing anyone to access the users’ wallpaper if they knew where to look.

In May 2018, Satori, one of today’s largest IoT botnets, also began searching for Ethereum miners who were accidentally left exposed online.

New scans pointing to port 8545

Those attacks were directed at devices running on port 3333, but for most of these applications, their default RPC interface resides on port 8545.

According to Qihoo 360 Netlab security experts, at least one hacker started mass scans for port 8545, looking for the Ethereum software that was exposed online.

Those scans began in March this year, and by that time, the attacker had made only about 3,96234 Ether (between $2,000 and $3,000).

Reviewing that research today, the Netlab team says that the scans for port 8545 never stopped, but intensified when several groups joined the scanning activity, with only one group being more successful than most after diverting more than $20 million.

“If you have a running honeypot on port 8545, you should be able to see the requests on the payload, which has the wallet addresses,” says the Netlab team. “And there are quite a few IPs scanning a lot on this port right now.”

With plenty of tools to automate scanning and attack port 8545 available on GitHub, intentionally opening your mining service or purse application on port 8545 is a financial suicide.

However, with more than $20 million stolen in recent months by just one group, there are apparently many users who can’t seem to bother to read your application documentation before setting up an Ethereum wallet or a mining platform.

Only the scans for port 8545 are expected to increase, as the success of this group is likely to attract more people looking for fast money.

Owners of Ethereum wallets and mining equipment are advised to check the configuration of their Ethereum node and ensure that they do not expose the RPC interface to external connections.