A group of hackers has stolen over $20 million worth of Ethereum from Ethereum-based apps and mining rigs, Chinese cyber-security firm Qihoo 360 Netlab reported today.
The cause of these thefts is Ethereum software applications that have been configured to expose an RPC [Remote Procedure Call] interface on port 8545.
The purpose of this interface is to provide access to a programmatic API that an approved third-party service or app can query and interact or retrieve data from the original Ethereum-based service —such as a mineror wallet application that users or companies have set up for mining or managing funds.
Because of its role, this RPC interface grants access to some pretty sensitive functions, allowing a third-party app the ability to retrieve private keys, move funds, or retrieve the owner’s personal details.
As such, this interface comes disabled by default in most apps, and is usually accompanied by a warning from the original app’s developers not to turn it on unless properly secured by an access control list (ACL), a firewall, or other authentication systems.
Almost all Ethereum-based software comes with an RPC interface nowadays, and in most cases, even when turned on, they are appropriately configured to listen to requests only via the local interface (127.0.0.1), meaning from apps running on the same machine as the original mining/wallet app that exposes the RPC interface.
Some users don’t like to read the documentation
But across the years, developers have been known to tinker with their Ethereum apps, sometimes without knowing what they are doing.
This isn’t a new issue. Months after its launch, the Ethereum Project sent out an official security advisory to warn that some of the users of the geth Ethereum mining software were running mining rigs with this interface open to remote connections, allowing attackers to steal their funds.
But despite the warning from the official Ethereum devs, users have continued to misconfigure their Ethereum clients across the years, and many have reported losing funds out of the blue, but which were later traced back to exposed RPC interfaces.
Scans for exposed interfaces intensified last year
Scans for these ports have been silently going on for years but with cryptocurrency prices growing to record heights in 2017, multiple threat groups have joined the fold in search for easy money left exposed online.
One of the hugest spikes in scan activity was recorded last year, in November, when a threat actor started a massive scan of the entire Internet looking for Ethereum JSON RPC endpoints.
Those scans were successful, as that threat actor soon identified that a version of the Electrum wallet app was shipping with its JSON RPC enabled by default, allowing anyone access to users’ funds if somebody knew where to look.
In May 2018, Satori —one of today’s biggest IoT botnets— also started scanning for Ethereum minersthat were left accidentally left exposed online.
New scans targeting port 8545
Those attacks targeted devices running on port 3333, but for most of these applications, their default RPC interface resides on port 8545.
According to security experts from Qihoo 360 Netlab, at least one threat actor started mass-scans for port 8545, looking for Ethereum software left exposed online.
Those scans started in March, this year, and at that time, the attacker had made only around 3.96234 Ether (~$2,000-$3,000).
Someone tries to make quick money by scanning port 8545, looking for geth clients and stealing their cryptocurrency, good thing geth by default only listens on local 8545 port. So far it has only got 3.96234 Ether on its account, but hey it is free money! pic.twitter.com/YVSWlMtYGa— 360 Netlab (@360Netlab) March 15, 2018
Revisiting that research today, the Netlab team says scans for port 8545 never stopped, but intensified as multiple groups joined the scanning activity, with one group alone being more successful than most, after managing to siphon over $20 million worth of Ether funds from exposed applications.
Remember this old twitter we posted? Guess how much these guys have in their wallets? Check out this wallet address https://t.co/t4qB17r97J $20,526,348.76, yes, you read it right, more then 20 Million US dollars https://t.co/SXHrdTcb6e— 360 Netlab (@360Netlab) June 11, 2018
“If you have honeypot running on port 8545, you should be able to see the requests in the payload, which has the wallet addresses,” the Netlab team says. “And there are quite a few IPs scanning heavily on this port now.”
With a slew of tools to automate port 8545 scanning and hacking available on GitHub, intentionally opening your miner or wallet app service on port 8545 is financial suicide.
Nonetheless, with over $20 million stolen in the last few months just by one group, there are apparently lots of users who can’t be bothered with reading their app’s documentation before setting up an Ethereum wallet or mining rig.
Scans for port 8545 are only expected to go up, as this group’s success will surely attract more threat actors looking for a quick buck.
Owners of Ethereum wallets and mining rigs are advised to review their Ethereum node’s settings and make sure they’re not exposing the RPC interface to external connections.