With the rise of Bitcon value has increased the interest of cybercrime, since now we have read of botnet able to mine virtual currency with victim’s resources and malicious codes able to steal Bitcoin wallets from infected machines, now hackers seems have changed tactic. Researchers at Dell SecureWorks Counter Threat Unit (CTU) have discovered that bad actors have stolen Bitcoin directly from mining, an operation that allowed them to generate nearly $83,000 in digital cash in more than four months by gaining access to a Canadian Internet provider.
Bitcoin are created through ‘mining’ activities which consist in the complex calculations to create a ‘block’ with a hash value satisfying certain properties. In a mining pool, clients connect to the pool to receive instructions and share results related to the calculations executed.
“In total, CTU researchers documented 51 compromised networks from 19 different Internet service providers (ISPs),” The hijacker redirected cryptocurrency miners’ connections to a hijacker-controlled mining pool and collected the miners’ profit, earning an estimated $83,000 in slightly more than four months.” is reported in the official post from Dell.
“The threat actor hijacked the mining pool, so many cryptocurrencies were impacted,” “The protocols make it impossible to identify exactly which ones, but CTU researchers have mapped activity to certain addresses.” is explained in the blog post.
The researchers provided the BGP evidence to the upstream ISP closest to the origin of the malicious activity.
“The malicious BGP announcements stopped three days later and have not resumed as of this publication. However, the ISP did not disclose details about the source of the malicious changes to the router’s configuration.”
“Unlike network routing protocols that can automatically initiate a connection from one network, both ends of BGP-connected networks (also known as a ‘peers’) must be manually configured to communicate,” the researchers write. “This requirement ensures malicious networks cannot hijack traffic without human intervention from a legitimate network.“
In time I’m writing it is not clear how the attacker obtained the access to the ISP’s infrastructure to introduce malicious route to hijack victims’ mining power to their own mining pool.
The researchers suggest: