Cyber Crime

Double check if your Bitcoin/Ethereum wallet is exposed online, crooks are running massive Internet scans

Security experts are observing numerous massive scans going on for Bitcoin and Ethereum wallets in order to steal their funds.

The continuing increase of both Bitcoin and Ethereum price is attracting crooks  that are spending a lot of efforts in the attempt to steal funds stored in the wallets used for these two cryptocurrencies.

Security researchers worldwide are observing an intensification of mass Internet scanning campaigns thanks the honeypots they set up to monitor the online threats.

The security expert Didier Stevens observed a significant scanning activity over the weekend, just two days before Bitcoin price jumped from $7,000 to over $8,000 (Consider that the Bitcoin’s price was roughly $200 just two years ago).

The researcher observed a huge number of requests to his honeypot to retrieve Bitcoin wallet files:
wallet – Copy.dat
wallet.dat
wallet.dat.1
wallet.dat.zip
wallet.tar
wallet.tar.gz
wallet.zip
wallet_backup.dat
wallet_backup.dat.1
wallet_backup.dat.zip
wallet_backup.zip
Accessing to such archives will allow cyber criminals to steal the victims’ funds.

“I’ve seen a couple of such requests a couple of years ago, but it’s the first time I see that many,” Stevens wrote in a short post on the SANS Institute. “The first time I observed this was late 2013, in the middle of the first big BTC price rally.”

Of course, the crooks are exploring the possibility to target also other cryptocurrencies, such as the Ethereum. Very interesting the analysis proposed by Bleepingcomputer.com that reported the discovery made by the researcher Dimitrios Slamaris.

The security expert reported Internet wide Ethereum JSON-RPC scans.

The expert caught a JSON RPC call in his honeypot, someone was making requests to the JSON-RPC interface of Ethereum nodes that should be only exposed locally.

The access to the interface does implements any authentication mechanism and wallet apps installed on the PC can send command to the Ethereum client to manage funds.

It the interface is exposed inline, attackers can send requests to this JSON-RPC interface and issue commands to move funds to an attacker’s wallet.

Below the sequence of requests discovered by Slamaris:

“After I noticed that these are RPC calls to the Ethereum JSON API I implemented one valid response after another and managed to capture a full Ethereum robbery, which consist basically (to the best of my knowledge) of commands in the following order:”

  • get information about block number 1 via eth_getBlockByNumber
  • get managed accounts via eth_accounts
  • get client version via web3_clientVersion
  • get the current balance of the previously received account: eth_getBalance
  • steal the gas via eth_sendTransaction from the previously received account”

Early November, Slamaris uncovered another massive scan that allowed the attacker to steal 8 Ethers (about $3,200 at current exchange).

Slamaris teamed with SANS Internet Storm Center expert Johannes Ullrich also uncovered a second campaign that took place this week, they discovered two IP addresses are scanning specifically hard using these requests:
  • 216.158.238.186 – Interserver Inc. (a New Jersey hosting company)
  • 46.166.148.120 – NFOrce Entertainment BV (Durch hosting company)

“If you are using Ethereum, and if you are running an Ethereum node, then please make sure the node is not listening to inbound queries. As far as I can tell, these requests are simple HTTP requests, they are not protected by same-origin policy and can easily be issued via Javascript.” states the post published by the SANS Institute.

Users running Ethereum nodes that necessarily need to have Internet access should disable the JSON-RPC interface’s inbound queries or proxy requests via a server to filter only approved clients.

“It would be trivial to have Javascript look for a node on the host connecting to a web server, even if the host is behind NAT. Probably because investors in cryptocurrencies are used to taking risks, the JSON RPC interface does not provide for authentication. Instead, if you do want to use any form of authentication, you have to proxy the queries via a server like Nginx that is then able to filter and authenticate requests.”

What will happen in the next months?

No doubts, crooks will continue to scan the Internet for wallet accidentally exposed online.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – cryptocurrencies, Ethereum wallet)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

6 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

18 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

22 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.