Chinese cybersecurity firm Qihoo 360 Netlab discovered that hackers have been targeting Ethereum wallets configured with open port 8545, with one attacker pillaging over US$20 million from various victims.
The attack vector used by the perpetrators exists as a feature of most Ethereum wallets in which the software has been configured to expose the RPC (Remote Procedure Call) interface on port 8548. This feature is incredibly useful for network administrators, allowing them to request services from clusters of machines without having to understand the details of the network.
Enabling RPC on wallets within a secure network, one that is protected behind a firewall, insulated from the public internet, or otherwise managed, can be a powerful tool for business or enterprise networks that utilize software to query or interact with their wallets to manage funds. For example, mining operations that operate a group of machines could use RPC over a local network to move their mined coins onto a centralized, secure system to mitigate attack surface area and offload them onto a cold wallet.
PEBCAK: Problem Exists Between Chair and Keyboard
The interface usually comes disabled by default on the majority of Ethereum-based applications, requiring a reasonably knowledgeable user to dive into the application settings to change the RPC parameters, which in the most recent version of the Geth client causes a pop-up warning about possible security issues.
Developers, being the curious creatures they are, have a tendency to fiddle with application settings as a means to understand the full capabilities of software. Unfortunately, this can lead to instances in which developers have forgotten to ‘unflip’ certain switches or overlook the importance of particular functionalities.
An Ongoing Problem for Ethereum Developers
Researchers from 360 NetLab initially uncovered the vulnerability in early March, announcing on Twitter that malicious actors had only stolen roughly 4 Ether from exposed clients.
Someone tries to make quick money by scanning port 8545, looking for geth clients and stealing their cryptocurrency, good thing geth by default only listens on local 8545 port. So far it has only got 3.96234 Ether on its account, but hey it is free money! pic.twitter.com/YVSWlMtYGa
— 360 Netlab (@360Netlab) March 15, 2018
Upon revisiting the issue on June 10, 360 Netlab found that attacks on open ports have become an incredibly popular exploit within the crypto-crime sphere, with one group linked to a wallet totaling 38,642 Ether, worth approximately US$20 million.
Remember this old twitter we posted? Guess how much these guys have in their wallets? Check out this wallet address https://t.co/t4qB17r97J $20,526,348.76, yes, you read it right, more then 20 Million US dollars https://t.co/SXHrdTcb6e
— 360 Netlab (@360Netlab) June 11, 2018
The following day, 360 NetLab posted a list of 21 wallet addresses captured by the team’s digital honey pot, which a Twitter user was kind enough to publish to a Pastebin file for easy data manipulation.
Hackers have been using the following wallet addresses (among others) to steal Ethereum from misconfigured ethereum clients. (sorry have to use screenshot due to twitter's character limit) pic.twitter.com/YDxvrD801L
— 360 Netlab (@360Netlab) June 12, 2018
A brief scan of these addresses shows that attackers have managed to acquire tokens from wallets containing a range of ERC-20 compatible blockchains including Worldcore, ATMChain, and Viuly. While the dollar values of most of these wallets pale in comparison to the largest associated address, there is the potential for the value of these stolen funds to drastically increase as the projects develop.
With cryptocurrency continuing to show signs of mainstream adoption as a valuable asset class, groups affiliated with cybercrime have expanded their operations, luring malicious parties with conventional hacking backgrounds with the promise of instant pay-offs. Any investors operating wallets with moderate to large portfolios should exercise extreme caution when exposing their funds to the public internet, ensuring that cybersecurity best practices are followed to keep their funds secure.