A threat actor is mass-scanning the Internet for Ethereum mining equipment running ethOS that is still using the operating system’s default SSH credentials.
The attacker is using these creds to gain access to the mining rig and replace the owner’s Ethereum wallet address with his own. Replacing this wallet ID sends all subsequent mining revenue to the attacker instead of the equipment’s real owner.
Scans started on Monday
The attacks started on Monday and were first detected by a honeypot set up by Romanian cyber-security firm Bitdefender.
Honeypot logs showed attackers trying two peculiar SSH username and password combos — ethos:live and root:live.
Searching the Internet, Bitdefender tracked down these two combinations to ethOS, a 64-bit stripped-down Linux distro specialized in GPU-based mining of cryptocurrencies such as Ethereum, Zcash, Monero, and other altcoins.
Bitdefender experts discovered that attackers were trying to replace the default mining wallet ID with their own. A full list of commands the attackers’ bot was trying to execute on hijacked systems is available here.
Attackers made only $611
While the ethOS team claims that over 38,000 mining rigs are running their operating system, not all equipment is vulnerable. If owners changed the OS’ default credentials and placed the rig behind a firewall, they are safe from further attacks.
Bogdan Botezatu, a senior e-threat analyst at Bitdefender, says the hackers’ Ethereum wallet (0xb4ada014279d9049707e9A51F022313290Ca1276) they identified in the recent scanning operation holds only 10 Ethereum transactions for a total of $601 worth of Ether.
“If you are running an Ether miner based on [ethOS], make sure you have changed the default login credentials,” Botezatu warned Ethereum aficionados. “If you haven’t done so, now would be a good time to check whether the miner is sending money to you, not hackers.”
Similar attacks on cryptocurrency lovers
Bitdefender’s discovery is not the only one of its kind. In September, ESET discovered that a threat actor was constantly scanning the Internet for unpatched IIS 6.0 servers to install a Monero miner. The attacker made over $63,000 worth of Monero.
Today, Kaspersky revealed details about a group who used the CryptoShuffler trojan to watch PC clipboards and replace cryptocurrency wallet IDs with their own. The group made over $150,000 worth of Bitcoin and tens of thousands in various altcoins.
In late August, security expert Victor Gevers found over 3,000 Bitcoin mining rigs with Telnet ports exposed on the Internet and no passwords. Most were located in China.
In April, security researchers discovered a hidden backdoor in the firmware of Bitmain’s Antminer cryptocurrency mining rigs. The vulnerability was named Antbleed and Bitmain issued a firmware update to fix the problem.
According to the Rapid7’s National Exposure Index, a yearly report on devices with ports left exposed online, there are over 20 million devices with SSH ports left exposed online.
Wordfence recently found a threat group scanning WordPress sites for folders that could have contained SSH private keys. The scans started after the publication of a report that found “a widespread lack of SSH security controls.”