Threat actors using default SSH credentials to hijack Ethereum miners

Pierluigi Paganini November 02, 2017

Attackers scanned for the entire IPv4 range and look for Ethereum miners with open SSH connections.

Hackers target Ethereum-mining farms in the attempt to hijack the funds by replacing the user’s wallet with their one.

The attacks were first spotted on Monday, threat actors attempted to change the default configuration of Ethereum miners.

“Illicit digital currency mining, either directly in the browser or via maliciously-delivered miners, is nothing new, but our honeypot systems have started flagging a different type of attack against Ethereum-mining farms.” wrote Bitdefender threat analyst Bogdan Botezatu.

“We detected the first attacks on Monday, when our SSH honeypots prompted us about a bot attempting to change the system configuration to hijack funds from Ethereum-mining operations.”

The attackers are specifically targeting EthOS, the operating system optimized for mining cryptocurrencies, including Ethereum, Zcash, and Monero. The operating system currently runs on more than 38,000 mining rigs across the world. It comes pre-loaded with the necessary tools, and a default username and password, the only effort requested to the user during the installation is the set up of a wallet address used as a recipient for mining fees and the change of default credentials.

EthOS Ethereum miners

The attacks were detected by a honeypot set up by Bitdefender, attackers scanned for the entire IPv4 range and look for Ethereum miners with open SSH connections.

“The bot scans for the entire IPv4 range and looks for open SSH connections. If found, it attempts to log in using the default username and password to the EthOS operating system: ethos:live and root:live,” explained Botezatu.

If the login succeeds, the attackers try to change the Ethereum wallet to hijack the mining process to the attacker’s Ethereum address. In the attacks observed by the researchers, threat actors used the wallet “0xb4ada014279d9049707e9A51F022313290Ca1276” that received 10 transactions over the past days worth a total of $611 in Ether.

“So, if you are running an Ether Miner based on Ethereum OS, make sure you have changed the default login credentials. If you haven’t done so, now would be a good time to check whether the miner is sending money to you, not hackers,” concluded Botezatu.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Ethereum miners, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment