2 min read

Ethereum OS miners targeted by SSH-based hijacker

Bogdan BOTEZATU

November 01, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Ethereum OS miners targeted by SSH-based hijacker

The increased popularity of emerging crypto-currencies such as Monero and Ethereum has put miners once again in the bad guys’ crosshairs. Illicit digital currency mining, either directly in the browser or via maliciously-delivered miners, is nothing new, but our honeypot systems have started flagging a different type of attack against Ethereum-mining farms.

We detected the first attacks on Monday, when our SSH honeypots prompted us about a bot attempting to change the system configuration to hijack funds from Ethereum-mining operations.

If you are in the market, you probably know of an operating system optimized for Ethereum mining, dubbed EthOS. This commercial operating system can mine  Ethereum, Zcash, Monero and other crypto-currencies that rely on GPU power. According to its creators, it currently runs on more than 38,000 mining rigs across the world. Like other specialized operating systems, it comes pre-loaded with the necessary tools, and a default username and password. After deployment, the user only needs to add a wallet for mining fees and, of course, change the default username and password.

Precisely this oversight is currently exploited in the wild. The bot scans for the entire IPv4 range and looks for open SSH connections. If found, it attempts to log in using the default username and password to the EthOS operating system: ethos:live and root:live.

If the login succeeds, it tries to change the existing configuration for Ethereum to hijack the mining process to the attacker’s Ethereum address. The wallet in this case (0xb4ada014279d9049707e9A51F022313290Ca1276) shows 10 transactions over the past days worth a total of $611 in Ether.

So, if you are running an Ether Miner based on Ethereum OS, make sure you have changed the default login credentials. If you haven’t done so, now would be a good time to check whether the miner is sending money to you, not hackers.

tags


Author



Right now

Top posts

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign

How We Tracked a Threat Group Running an Active Cryptojacking Campaign

July 14, 2021

10 min read
A Note from the Bitdefender Labs Team on Ransomware and Decryptors

A Note from the Bitdefender Labs Team on Ransomware and Decryptors

May 26, 2021

2 min read
New Nebulae Backdoor Linked with the NAIKON Group

New Nebulae Backdoor Linked with the NAIKON Group

April 28, 2021

1 min read
Good riddance, GandCrab! We’re still fixing the mess you left behind.

Good riddance, GandCrab! We’re still fixing the mess you left behind.

June 17, 2019

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Golang Bot Starts Targeting WordPress Websites Golang Bot Starts Targeting WordPress Websites
Silvia PRIPOAESilviu STAHIE
3 min read
Darkside Ransomware Decryption Tool Darkside Ransomware Decryption Tool
Bitdefender

January 11, 2021

2 min read
Towards a Universal Security Solution against Bluetooth Low Energy Attacks Towards a Universal Security Solution against Bluetooth Low Energy Attacks
Bitdefender

July 13, 2020

1 min read