Raptoreum total network hash rate had been increasing over the past few weeks, but suddenly it doubled from 200MH/s to 400MH/s, with one address contributing an additional 100-200MH/s to the Raptoreum network. during the attack, many servers were breached, each outputting a large amount of server equipment on very high-end hash power. Few organizations in the world have access to this kind of hardware, making it highly unlikely that this attack was done with individual hardware. Hackers have managed to mine Raptoreum using HP’s AMD EPYC servers by exploiting a security vulnerability.
Raptoreum: HP’s AMD EPYC servers hacked for mining
Unknown hackers have exploited a critical Java vulnerability to use HP’s powerful servers to mine Raptoreum.
The exploit goes by the name Log4J, which they used to take control of HP’s AMD-based 9000 EPYC servers and turn the powerful hardware into cryptocurrency miners. The exploit led to a doubling of the hash rate for the cryptocurrency Raptoreum (RTM) from 200 MH/s to 400 MH/s before most machines with the exploit were taken out of service.
Log4J is a Java vulnerability that recently became known as part of the popular Apache suite. The Log4J exploit is one of the few vulnerabilities that has reached the highest threat level (level 10) according to CVSS 3.0 rules. The exploit does not require physical access to the computer and allows privilege escalation to cause the system to connect to a server controlled by the hacker or hacker group, download and execute malware. This vulnerability has been patched for most servers, but not for HP computers.
Raptoreum is a CPU-mined cryptocurrency based on the Proof-Of-Work (PoW) model that uses the GhostRider algorithm. This cryptocurrency benefits from processors that have a lot of cache memory and Ryzen processors are often targeted by miners because they have more cache memory than Intel’s options. Processors like the Ryzen 9 5900X or 5950X with 64 MB of L3 cache are the most sought-after for mining. EPYC processors have much more L3 cache. So, it is no wonder that hackers have tried to use the servers to mine this currency.
Apparently, the hackers’ attack began on Dec. 9, when Raptoreum’s developers noticed an unusual increase in the hash rate, which rose from 200 MH/s to 400 MH/s.
“We found out that the miners they used all had HP nicknames and that they all stopped abruptly, adding to speculation about a security vulnerability in the company and a subsequent patch on the servers. The Log4J Raptoreum mining exploits began on December 9 and essentially ended on December 17. During this period, hackers were able to capture about 30% of the total block reward, or about 3.4 million raptoreum (RTM), worth about $110,000 as of Dec. 21, 2021. Although activity has slowed significantly, it is still being actively mined today on a single premium machine that has not yet been patched.”
Of the 3.4 million Raptoreum tokens in the wallet, the hackers were able to move about 1.5 million and cash them out via CoinEx. The rest were dormant, waiting for a later price increase.