Posted on

Satori Botnet Scouring the Web for Open Ethereum Mining Rigs

With increasing crypto prices comes a rising tide of cybercrime and pernicious elements looking to exploit the gains of others. Even though markets are currently still falling from their peak in January, Ethereum is still a hot commodity trading at around $675, up over 600% from this time last year.

Unsecured mining rigs have become the latest targets for a botnet that is sweeping the internet. According to security researchers at SANS ISC, Qihoo 360 Netlab, and GreyNoise Intelligence, operators of the Satori botnet are mass-scanning the web for exposed mining rigs. The hackers are specifically looking for open port 3333 which is often used for remote management features by cryptocurrency-mining hardware.

Reports indicate that the activity started on May 11, as alerted by China-based 360 Netlab;

GreyNoise researchers delved deeper into the spurious activity and managed to connect the digital dots to the Claymore mining software;

“GreyNoise observed a large spike of TCP port 3333 scan traffic today. This is the default port for the “Claymore” dual Ethereum/Decred cryptocurrency miner. Once the attacker identifies a server running the Claymore software they push instructions to reconfigure the device to join the ‘dwarfpool’ mining pool and use the attacker’s ETH wallet,”

The scans were linked to a group of Mexican IP addresses that had thousands of GPON routers compromised a few days ago. Satori is one of five botnets that were using the exploited routers to scan for Claymore miners, deploy an exploit, and hijack the devices to mine Ethereum and Decred cryptocurrencies for the botnet operators.

According to Zdnet the bugs allowed anyone to bypass the router’s login page and access pages within, simply by adding “?images/” to the end of the web address on any of the router’s configuration pages. Once in control of the routers the hackers can inject their own scripts or bots to do their dirty deeds, which in this case was seeking out vulnerable Ethereum miners.

Back in January the same Satori botnet under the designation Satori.Coin.Robber issued three payloads when a vulnerable miner was located. The first was a package which gathered the mining state of the rig, another replaced the mining pool’s wallet address by updating the reboot.bat file, and the third which rebooted the host with the new address, leading to the theft of any ETH the victim had mined.

Intense scans of this nature will continue to increase along with the number of vulnerable internet routers and mining rigs, the days of the crypto botnets are only just beginning.

Posted on

1.65 Million Attacks: Kaspersky Reveals New Data on Crypto Mining Malware

More than 1.65 million computers were targeted by cryptocurrency mining malware attacks in the first eight months of 2017, according to a new report from Kaspersky Lab.

The Russia-based cybersecurity outfit said on Tuesday that the figure represents the number of computers, running Kaspersky software, that were protected from the malicious software, which can turn a machine into a remotely-controlled mining device without the owner actually knowing.

The total for 2017 thus far seems on pace to exceed the number of attacks detected in 2016, which exceeded 1.8 million. By comparison, Kaspersky detected just over 700,000 in 2014.

Partially underpinning the attacks, the company said, appears to be several large-scale botnets dedicated to malicious mining activities.

The report said:

“This results in threat actors receiving cryptocurrency, while their victims’ computer systems experience a dramatic slowdown. Over the last month alone, we have detected several large botnets designed to profit from concealed crypto mining.”

The company only released the number of its own clients protected, and did not clarify how many machines they thought were infected globally, or if any of their customers were infected despite their protection.

Cryptocurrency mining botnets are nothing new. One of the newer botnets discovered in 2017 was developed out of a US National Security Agency exploit leaked by a group of hackers referred to as the Shadow Brokers.

Though miners traditionally infected Windows computers, they can also impact Linux machines. Some botnets infect machines which do not possess sufficient processing power to effectively mine for anything as well.

Malware image via Shutterstock

The leader in blockchain news, CoinDesk is an independent media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. Have breaking news or a story tip to send to our journalists? Contact us at [email protected].