Chinese cyber-security firm Qihoo 360 Netlab recently reported an Ethereum hack in which tokens worth over $20 million were stolen. The hack was orchestrated on mining rigs and Ethereum-based apps exploiting an API option that remains closed by default. The option could be turned on by users tinkering around with the apps without reading proper documentation. The attacks reportedly began in March.
The Modus Operandi of Hackers
Most Ethereum wallets and other applications come with an RPC (Remote Procedure Call) interface on port 8545. It provides a programmatic API that could approve a third-party service or app in generating queries and interacting with data of a wallet or a miner. This could expose the user to sensitive content and functions too, including retrieval of private keys.
The interface is disabled by default in all apps. Software makers usually supply warnings to users to never turn this option on unless it has been secured by a firewall, access control list (ACL) or other strong authentication methods. As wallets become more secure, the RPC interface is configured to listen to local interface requests only. It is highly likely that users tinkered with the apps, without realizing that they are getting exposed to a huge security threat.
Massive Scans Threaten Users
Though wallets and other crypto apps have been scanned by hackers forever, their activities intensified after the December hike in prices. One of the biggest of these scans happened exactly a month before the currencies hit an all-time high, exposing security threats in some Electrum wallets that have the RPC on by default.
Hackers Scan Port 8545
The hackers look for these open RPC ports to hack into user wallets. According to Netlab, the scans started in March. They tweeted on March 15,
“Someone tries to make quick money by scanning port 8545, and looking for get clients and stealing their cryptocurrency, good thing get by default only listens on local 8545 port. So far it has only got 3.96234 Ether on its account, but hey it is free money!”
They later reported that the scans became more numerous and intense with time. In fact, just one of these hacker groups stole more than $20 million of Ether funds.
They recently tweeted,
“Remember this old twitter we posted? Guess how much these guys have in their wallets? Check out this wallet address $20,526,348.76, yes, you read it right, more than 20 Million US dollars.”
The number of tools that could potentially exploit this vulnerability is growing on GitHub which means that such attacks could grow with time.