The Bitcoin Wallet – Electrum – Under Attack By A 14,000 Strong Bot-Based DoS Attack
DoS attacks, according to research over last year, is one of the few kinds of digital attacks that cryptocurrencies and blockchains are vulnerable to. And with the likes of Bitcoin Gold and Ethereum Classic being past examples, blockchain is not invulnerable.
All we need to do is look at the well-known and widely used Bitcoin-based wallet provider – Electrum – as it reports that it has come under heavy and continued attacks this week. The team has since taken the time to stress the need for users to be extra careful when making use of the digital platform until these attacks have been resolved.
According to observers and the Electrum team, the digital wallet provider was subjected to a highly sophisticated and co-ordinated botnet attack, which consisted of over . 140,000 machines. The objective of this botnet? To launch a continuous range of widescale Denial of Service attacks on the servers used by Electrum.
These attacks would then be put to use in directing oblivious wallet users onto compromised iterations of the Electrum software in order to steal their digital assets and has already managed to succeed in this objective.
These very same ‘bad actors' have effectively managed to deploy their own ‘dedicated' servers for Electrum, allowing them to effectively ‘backdoor' versions of the Electrum client on a wide scale. Ultimately, what does this mean? Should a user unwittingly manage to sync up their digital wallet to a compromised or malicious ‘backdoor' server (of which there are hundreds that have since been detected), they will subsequently be advised to update their client with a compromised version.
An individual that was well-versed as a security researcher and with the issues now faced by Electrum went on to discuss that if these fake iterations of Electrum were to be installed by users, any funds that were contained in the older ‘versions' of their wallet would be immediately and irrevocably lost as a consequence.
“The total amount stolen is in the millions of dollars so far, with a single person alone losing almost $140,000, based on our analysis,” they said. “The DoS attacks are a new level, which only began about a week ago. People have seen 25 Gigabits per second worth of traffic being flooded at community run servers.”
From the moment that these attacks began, users of Electrum have since been warned that they may face interruptions to the service due to administrators being hard at work in order to mitigate any damage done to the platform and its traffic.
Speaking on behalf of the team, the lead developer for Electrum, Thomas Voegtlin stated that they are hoping to have this matter resolved quickly.
“We hope to resolve this in the coming hours or days.”
Denial Of Service Attack – Possible Retaliation In Wake Of New Protections For Users?
The community has not been estranged to the chronic issues of Phishing on Bitcoin. In fact, it has been an issue that has blighted the Electrum team and its community by extension. Past attacks have included ElectrumStealer, a Trojan Horse attack which has already been responsible for stealing millions of dollars in Bitcoin from oblivious users.
At this moment in time, there is no tangible or explicit link found which could connect the Phishing campaign with the ongoing Denial of Service attack. This latest one, instead, appears to be more focused on users that are not using an updated client of Electrum.
The researcher previously mentioned stated that developers had managed to modify their Electrum servers in order to reduce the level of risk that users had to potential phishing scams. These same developers went on to speculate that this has since resulted in attackers changing tact, and moving to conduct a more large-scale attack such as the botnet based DoS attack against its servers.
“With the benign servers down due to the attack, there’s a strong likelihood of people connecting to the malicious ones,” they said. “Original versions of the attack used modified Electrum servers, abusing a bug in the Electrum wallet, to send messages telling users that they need to upgrade their software to a malicious version. These were originally tackled by using Google’s SafeBrowsing service to make them inaccessible to possible victims.”
At this moment in time, it has been speculated that there are approximately 200 domains detected which are using or hosting the Electrum malware, including iterations like ‘Electrumx.network.' While the process of blacklisting these servers would work in a conventional way, Google has taking on the unfortunate habit of taking its time in updating the existing SafeBrowsing database, thus rendering this conventional strategy useless.
Working as the lead developer for Electrum, Voegtlin went on to stipulate that the patch had previously operated in order to force out of date, and vulnerable (as a result) models of Electrum wallets to go offline as soon as they had managed to obtain a secure connection to one of the discovered legitimate servers. He went on to mention that Electrum would require 8-10 connections in order to operate like this.
What remains unclear to the Electrum team are the underlying objectives of these entities, as well as what their motives are for this attack.
“We are not sure what motivates the attacker; it might be some kind of retaliation after we took steps last month in order to prevent phishing attacks,” he commented. “This counter-attack has been effective against phishing because it does not require a lot of legit servers; if you randomly connect to 10 servers, the chance that at least one of them is performing the counter-attack is very high.”
“We have not heard of any recent success at the phishing attack since we deployed the counter-attack.”
Those Most At Risk? Electrum's ‘Forgotten' Users
At this moment in time, Electrum has no specific system . or mechanics in order to ensure an auto-update is provided to its users. As a result, users are able to continue to operate on the system, while making use of wallets that may be out of date by two or more iterations.
It is with this in mind that lead developer, Voegtlin explicitly states that those who are most at risk from these kinds of attacks are those that downloaded the client long ago, and have not since made updates to this software.
“Indeed, updated versions are not at risk, but the service might be temporarily unavailable. If that is the case, we recommend to users that they stick to the same server (disable auto-connect) until they eventually manage to open a session,” he continued.
“Of course the attacker might be trying to take down legit servers in order to keep carrying out their phishing attack, but […] they do not simply need the user to connect to their server,” Voegtlin would go on to state. “What they need is a vulnerable client to connect exclusively to their servers, and that is a lot less likely.”
In order for users to ensure their longer-term safety within this platform, the Electrum team has stressed that they should only download the dedicated software for Electrum from the dedicated Electrum dot org domain, or from its dedicated and official repository on GitHub.
When it comes to ensuring your individual security within the Electrum ecosystem, installing and updating your client from one or both of these mentioned locations remain the best method of preventing these kinds of attacks.
The development team behind Electrum has also announced that it is currently working on a new patch for users coming soon. The team has also gone on to urge that users should only run these on their own legitimate servers, due to the kind of associated risks that come with using more questionable kinds of servers, with public Electrum ones allowing for the attack to be diluted.