Large Satori botnet found scouring the internet for vulnerable Ethereum cryptocurrency mining rigs

As the value and interest in cryptocurrencies continues to soar, security researchers have discovered a large Satori botnet scanning the internet for vulnerable Ethereum mining rigs to exploit. Researchers at Qihoo 360 Netlab, GreyNoise Intelligence and SANS ISC have confirmed the botnet's malicious activities.

According to Qihoo researchers, the activity began on May 11 with hackers targeting port 333 which is used for remote management features by cryptocurrency-mining hardware and pools.

GreyNoise Intelligence researchers later tweeted they also observed a large spike of TCP port 3333 traffic noting that it is the default port for the "Claymore" dual Ethereum/Decred cryptocurrency miner software.

"Once the attacker identifies a server running the Claymore software they push instructions to reconfigure the device to join the 'dwarfpool' mining pool and use the attacker's ETH wallet," GreyNoise noted. As of 6:43PM EST on May 11, the attackers behind the botnet had mined about $200 worth of Ethereum.

"Interestingly, 95% of the devices scanning for port 3333 today are located in the same residential ISP in Mexico as the majority of the hosts affected by the GPON vulnerability disclosed earlier this week," they added. Qihoo researchers confirmed the discovery saying the source of the scan is around 17,000 independent IP addresses mainly from Uninet SA de CV, telmex.com, in Mexico.

Researchers suspect the Satori botnet was using the GPON routers to scan for Claymore miners to release an exploit and hijack the devices to mine Ethereum and Decred.

Johannes B. Ullrich, dean of research at SANS ISC, also identified the Satori botnet's activity after observing his honeypot.

"I have no idea why someone would have the unauthenticated JSON RPC of their miner exposed to the internet, but then again, these attacks are targeting people who are into cryptocoin mining, so everything is possible," Ulrich noted. He also identified the vulnerability as CVE-2018-1000049, a remote code execution flaw affecting the Nanopool Claymore Dual Miner software that was released in February.

"The JSON RPC remote management API does provide a function to upload "reboot.bat", a script that can then be executed remotely," Ulrich explained. "The attacker can upload and execute an arbitrary command using this feature. The port the API is listening on is specified when starting the miner, but it defaults to 3333. The feature allows for a 'read-only' mode by specifying a negative port, which disables the most dangerous features. There doesn't appear to be an option to require authentication."

This isn't the first wave of botnet scanning activity for vulnerable IoT devices and mining rigs in recent months.

In March, the Hajime IoT botnet was found scanning for unpatched MikroTik devices. In February, the new Monero-mining botnet ADB.miner was found scanning for port 5555 and consisted of over 7,000 Android devices. In January, Qihoo reserachers identified a Satori variant dubbed Satori.Coin.RObber that exploited a Huawei vulnerability and a bug in Realtek SDK devices and targeted vulnerable Ethereum mining rigs.