SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
2 Nov 2017

Hackers using default SSH creds to take over Ethereum mining equipment

A threat actor is mass-scanning the Internet for Ethereum mining equipment running ethOS that is still using the operating system's default SSH credentials.

The attacker is using these creds to gain access to the mining rig and replace the owner's Ethereum wallet address with his own. Replacing this wallet ID sends all subsequent mining revenue to the attacker instead of the equipment's real owner.

Scans started on Monday. The attacks started on Monday and were first detected by a honeypot set up by Romanian cyber-security firm Bitdefender. Honeypot logs showed attackers trying two peculiar SSH username and password combos — ethos:live and root:live. Searching the Internet, Bitdefender tracked down these two combinations to ethOS, a 64-bit stripped-down Linux distro specialized in GPU-based mining of cryptocurrencies such as Ethereum, Zcash, Monero, and other altcoins.

Bitdefender experts discovered that attackers were trying to replace the default mining wallet ID with their own. A full list of commands the attackers' bot was trying to execute on hijacked systems is available here.

Attackers made only $611

While the ethOS team claims that over 38,000 mining rigs are running their operating system, not all equipment is vulnerable. If owners changed the OS' default credentials and placed the rig behind a firewall, they are safe from further attacks.

Bogdan Botezatu, a senior e-threat analyst at Bitdefender, says the hackers' Ethereum wallet (0xb4ada014279d9049707e9A51F022313290Ca1276) they identified in the recent scanning operation holds only 10 Ethereum transactions for a total of $601 worth of Ether. "If you are running an Ether miner based on [ethOS], make sure you have changed the default login credentials," Botezatu warned Ethereum aficionados. "If you haven’t done so, now would be a good time to check whether the miner is sending money to you, not hackers."

Similar attacks on cryptocurrency lovers

Bitdefender's discovery is not the only one of its kind. In September, ESET discovered that a threat actor was constantly scanning the Internet for unpatched IIS 6.0 servers to install a Monero miner. The attacker made over $63,000 worth of Monero. Today, Kaspersky revealed details about a group who used the CryptoShuffler trojan to watch PC clipboards and replace cryptocurrency wallet IDs with their own. The group made over $150,000 worth of Bitcoin and tens of thousands in various altcoins.

In late August, security expert Victor Gevers found over 3,000 Bitcoin mining rigs with Telnet ports exposed on the Internet and no passwords. Most were located in China. In April, security researchers discovered a hidden backdoor in the firmware of Bitmain's Antminer cryptocurrency mining rigs. The vulnerability was named Antbleed and Bitmain issued a firmware update to fix the problem.

According to the Rapid7's National Exposure Index, a yearly report on devices with ports left exposed online, there are over 20 million devices with SSH ports left exposed online. Wordfence recently found a threat group scanning WordPress sites for folders that could have contained SSH private keys. The scans started after the publication of a report that found "a widespread lack of SSH security controls."


Download SafeUM — communicate privately, without advertising and spam.

Tags:
information leaks fraud hackers
Source:
BleepingComputer
1942
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015