- A new attack campaign targets the exposed JSON-RPC interface of Ethereum wallets and mining devices running on port 8545.
- The port 8545 has repeatedly been the target for attackers aiming to steal money from Ethereum wallets.
Ever since the rise of cryptocurrency mining and trading, cybercriminals have targeted the cryptocurrency infrastructure in various ways to steal money or to take down the targeted networks.
Even though the cryptocurrencies are considered to provide a high level of security, in theory, the attackers can always exploit the weakest link in the chain, which often happens to be the humans managing or using the network.
According to a report by ZDNet, hackers have begun a massive campaign which scans for exposed Ethereum wallets and mining devices. The attack is based on the JSON-RPC interface running on port 8545, which becomes a target for hackers, when left exposed online.
This interface is used by local apps and services to query mining and funds-related information. It is meant to be used only by local apps but some wallets and mining equipment leave it enabled on all interfaces. Moreover, in its default configuration, this interface does not have a password, which makes it a tempting target for cybercriminals.
When left exposed, this interface can be used by attackers to send funds from the target’s Ethereum wallet to their own wallet.
However, the port 8545 attacks are not a new problem. The Ethereum team warned against this kind of vulnerability way back in 2015. The Ethereum team recommend all users add a password for the interface and use a firewall to filter traffic coming to port 8545. Despite the known vulnerability and repeated warnings, many wallets and mining devices still have not been protected appropriately to avoid such attacks.
The attackers did not target this exploit in the earlier years of the Ethereum project, when the price of Ethereum tokens was quite low. But the explosive rise in cryptocurrency prices since 2017 has made it a lucrative target for criminals now.
This resulted in multiple reported campaigns targeting port 8545 in November 2017, January 2018, May 2018, and June 2018. Though the earlier attacks could have resulted in millions of dollars of profit for the attackers, the current attack campaign comes at a time when Ethereum is valued under $100, one of the lowest levels since May 2017.
“Despite the price of cryptocurrency crashing into the gutter, free money is still free, even if it's pennies a day,” Troy Mursch, from Bad Packets LLC, told ZDNet.
Majority of the exposed devices include Geth mining equipment and Parity wallets, as seen in this Shodan search. The total number of exposed devices stands at around 4,700.
The port 8545 attacks are an easy option for cybercriminals, thanks to the negligence of cryptocurrency users and miners and also due to the availability of free tools to exploit this vulnerability. This latest attack campaign serves as a warning call for the wider cryptocurrency community to improve their security measures to prevent a major loss of funds.