With the rise of Bitcon value has increased the interest of cybercrime, since now we have read of botnet able to mine virtual currency with victim’s resources and malicious codes able to steal Bitcoin wallets from infected machines, now hackers seems have changed tactic. Researchers at Dell SecureWorks Counter Threat Unit (CTU) have discovered that bad actors have stolen Bitcoin directly from mining, an operation that allowed them to generate nearly $83,000 in digital cash in more than four months by gaining access to a Canadian Internet provider.
Bitcoin are created through ‘mining’ activities which consist in the complex calculations to create a ‘block’ with a hash value satisfying certain properties. In a mining pool, clients connect to the pool to receive instructions and share results related to the calculations executed.
“In total, CTU researchers documented 51 compromised networks from 19 different Internet service providers (ISPs),” The hijacker redirected cryptocurrency miners’ connections to a hijacker-controlled mining pool and collected the miners’ profit, earning an estimated $83,000 in slightly more than four months.” is reported in the official post from Dell.
“The threat actor hijacked the mining pool, so many cryptocurrencies were impacted,” “The protocols make it impossible to identify exactly which ones, but CTU researchers have mapped activity to certain addresses.” is explained in the blog post.
The researchers provided the BGP evidence to the upstream ISP closest to the origin of the malicious activity.
“The malicious BGP announcements stopped three days later and have not resumed as of this publication. However, the ISP did not disclose details about the source of the malicious changes to the router’s configuration.”
“Unlike network routing protocols that can automatically initiate a connection from one network, both ends of BGP-connected networks (also known as a ‘peers’) must be manually configured to communicate,” the researchers write. “This requirement ensures malicious networks cannot hijack traffic without human intervention from a legitimate network.“
In time I’m writing it is not clear how the attacker obtained the access to the ISP’s infrastructure to introduce malicious route to hijack victims’ mining power to their own mining pool.
The researchers suggest:
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.