With increasing crypto prices comes a rising tide of cybercrime and pernicious elements looking to exploit the gains of others. Even though markets are currently still falling from their peak in January, Ethereum is still a hot commodity trading at around $675, up over 600% from this time last year.
Unsecured mining rigs have become the latest targets for a botnet that is sweeping the internet. According to security researchers at SANS ISC, Qihoo 360 Netlab, and GreyNoise Intelligence, operators of the Satori botnet are mass-scanning the web for exposed mining rigs. The hackers are specifically looking for open port 3333 which is often used for remote management features by cryptocurrency-mining hardware.
Reports indicate that the activity started on May 11, as alerted by China-based 360 Netlab;
Do you see port 3333 scan traffic going up? Satori botnet is scanning it now, see our Scanmon trend https://t.co/TyrL4ryt6J, and try a dns lookup for one of the control domain it is using now, dig any https://t.co/DM4JTtXFo3, I personally like yesterday's TXT result more pic.twitter.com/xXUjwjZNdD
— 360 Netlab (@360Netlab) May 11, 2018
GreyNoise researchers delved deeper into the spurious activity and managed to connect the digital dots to the Claymore mining software;
“GreyNoise observed a large spike of TCP port 3333 scan traffic today. This is the default port for the “Claymore” dual Ethereum/Decred cryptocurrency miner. Once the attacker identifies a server running the Claymore software they push instructions to reconfigure the device to join the ‘dwarfpool’ mining pool and use the attacker’s ETH wallet,”
The scans were linked to a group of Mexican IP addresses that had thousands of GPON routers compromised a few days ago. Satori is one of five botnets that were using the exploited routers to scan for Claymore miners, deploy an exploit, and hijack the devices to mine Ethereum and Decred cryptocurrencies for the botnet operators.
According to Zdnet the bugs allowed anyone to bypass the router’s login page and access pages within, simply by adding “?images/” to the end of the web address on any of the router’s configuration pages. Once in control of the routers the hackers can inject their own scripts or bots to do their dirty deeds, which in this case was seeking out vulnerable Ethereum miners.
Back in January the same Satori botnet under the designation Satori.Coin.Robber issued three payloads when a vulnerable miner was located. The first was a package which gathered the mining state of the rig, another replaced the mining pool’s wallet address by updating the reboot.bat file, and the third which rebooted the host with the new address, leading to the theft of any ETH the victim had mined.
Intense scans of this nature will continue to increase along with the number of vulnerable internet routers and mining rigs, the days of the crypto botnets are only just beginning.
