Attackers scanned for the entire IPv4 range and look for Ethereum miners with open SSH connections.
Hackers target Ethereum-mining farms in the attempt to hijack the funds by replacing the user’s wallet with their one.
The attacks were first spotted on Monday, threat actors attempted to change the default configuration of Ethereum miners.
“Illicit digital currency mining, either directly in the browser or via maliciously-delivered miners, is nothing new, but our honeypot systems have started flagging a different type of attack against Ethereum-mining farms.” wrote Bitdefender threat analyst Bogdan Botezatu.
“We detected the first attacks on Monday, when our SSH honeypots prompted us about a bot attempting to change the system configuration to hijack funds from Ethereum-mining operations.”
The attackers are specifically targeting EthOS, the operating system optimized for mining cryptocurrencies, including Ethereum, Zcash, and Monero. The operating system currently runs on more than 38,000 mining rigs across the world. It comes pre-loaded with the necessary tools, and a default username and password, the only effort requested to the user during the installation is the set up of a wallet address used as a recipient for mining fees and the change of default credentials.
The attacks were detected by a honeypot set up by Bitdefender, attackers scanned for the entire IPv4 range and look for Ethereum miners with open SSH connections.
“The bot scans for the entire IPv4 range and looks for open SSH connections. If found, it attempts to log in using the default username and password to the EthOS operating system: ethos:live and root:live,” explained Botezatu.
If the login succeeds, the attackers try to change the Ethereum wallet to hijack the mining process to the attacker’s Ethereum address. In the attacks observed by the researchers, threat actors used the wallet “0xb4ada014279d9049707e9A51F022313290Ca1276” that received 10 transactions over the past days worth a total of $611 in Ether.
“So, if you are running an Ether Miner based on Ethereum OS, make sure you have changed the default login credentials. If you haven’t done so, now would be a good time to check whether the miner is sending money to you, not hackers,” concluded Botezatu.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.