According to a report by ZDNet on Dec. 10, hackers have set off a massive campaign on Internet-exposed Ethereum wallets and mining equipment.
The co-Founder of Bad Packets LLC, Troy Mursch told that the campaign has been taking place since December 3.
Attackers are in search for devices with the port 8545 exposed online. This is the standard port for the JSON-RPC interface of many Ethereum wallets and mining equipment. The JSON-RPC interface is programmatic API which apps and services use for the query for mining and funds-related information.
Although this interface should only be exposed locally, some wallet apps have enabled it on all interfaces. Once enabled, this requires a user to set a password.
Attackers can use this information to send commands to move funds from one wallet to another using this interface.
This issue has been addressed in August 2015, where the Ethereum team told all Ethereum users about the dangers of using mining equipment over this API interface, recommending them to either set a password or use a firewall to filter incoming traffic for port 8545.
Massive scans targeting 8545 port have been identified in November 2017, January 2018, May 2018, and June 2018.
One piece of information about the scans is that all of them occurred during Ethereum’s price surge.
But over the past week, as we all know, Ethereum’s price has been drastically falling, and the scans have reappeared again.
Mursch told ZDNet in an interview:
“Despite the price of cryptocurrency crashing into the gutter, free money is still free, even if it’s pennies a day.”
According to a chart Mursch shared with ZDNet, the scan activity tripled, when compared to last month:
A Shodan search shows that nearly 4700 devices are still exposing their port 8545.
There are also free tools available to exploit and automate scans on Ethereum clients via port 8545.
This is indeed a warning to all miners using the port 8545 to remove the port so as to prevent further attacks. It is times like these a Theft Insurance should be in place.