According to renowned information security firms, malicious individuals are currently scouring the internet thoroughly with hope of finding vulnerable Ethereum mining rigs. Recently, SANS INC, GreyNoise Intelligence and Qihoo 360 Netlab accused the developers of the Satori botnet of scanning the internet with an ulterior motive of breaching exposed mining hardware. Specifically, the cybercriminals are targeting devices whose port 3333 is unprotected. Often, this port is preferred by a majority of digital currency mining computers for the purposes of remote management.
As per reports from Netlab, the first scan was conducted on May 11, 2018. After an intensive survey, the Netlab experts established a connection between the scan and the Satori botnet. Consequently, through heir Twitter profile, 360 Netlab announced that the up surging of port 3333 scan traffic was a result of the activities of the Satori botnet. Moreover, they attempted a DNS lookup for one of the control domains that was controlling the scanning, and it turned out to be the botnet.
A day later, GreyNoise analysts further debunked the allegation by closely evaluating the characteristic displayed by an affected device. According to them, the criminals were actively targeting hardware that runs on the Claymore mining software. After identifying a server that operates on Claymore, the attackers alter the device’s configuration settings such that they are redirected to the ‘dwarfpool’ mining pool and deposit the resultant ETH in the criminal’s ETH wallet.
The Origin of the Botnet
Additionally, GreyNoise also linked the malicious scans to several IP addresses whose origin is Mexico. Furthermore, the addresses were accessing the internet using two ISPs that have had thousands of GPON routers breached and reconfigured by five different botnets. Irrefutably, Satori was amongst the five botnets that was leveraging the GPON routers to search for Claymore-based hardware, deploy, exploit and reconfigure the devices to mine Ethereum and Decred digital currencies for its developers.
Netlab researchers have since published an article on their website backing the discoveries made by GreyNoise. The blog posit explicitly states that the source of the port 3333 scan to be about 17,000 IP addresses running on Uninet SA de CV and telmex.com, ISPs which are based in Mexico.
Most recently, Johannes Ullrich of SANS INC further elaborated on this issue by identifying the exploit used by the attackers. He found out that the criminals were exploiting the remote code execution flaw (CVE-208-1000049) which affects the Nanopool Claymore Dual Miner software. This is perhaps due to the existence of the software’s proof-of-concept source code on online resources.
The scanning of port 3333 is not the first incident of Ethereum mining hardware scanning on the internet. In November 2017, there was a massive wave of scans, primarily targeting Bitcoin and Ethereum digital wallets.