Hackers Steal Over $20 Million of Ethereum After Exploiting Port 8584
Chinese cybersecurity Qihoo 360 Netlab confirmed a group of hackers were successful in stealing $20 million from exposed Ethereum-based mining rigs and dApp.
Ethereum dApps Exposed
As per a report on Bleeping Computer, the thefts occurred after a Remote Procedure Call (RPC) was exposed on port 8545 on Ethereum software applications. Qihoo 360 security researchers have been tracking the loophole since March 2018, and as on June 11, 2018, the heist far exceeded $20 million worth of ether (ETH)
In March 2018, Qihoo 360 alerted users of a “bad actor” scanning the exposed 8584 ports:
Someone tries to make quick money by scanning port 8545, looking for geth clients and stealing their cryptocurrency, good thing geth by default only listens on local 8545 port. So far it has only got 3.96234 Ether on its account, but hey it is free money! pic.twitter.com/YVSWlMtYGa
— 360 Netlab (@360Netlab) March 15, 2018
Despite their warning, users failed to implement relevant security measures. In due course, multiple fraudulent groups noticed the ease of exploiting Ethereum dApps and joined in the heist.
The most successful was a single group of attackers, presumably with advanced software skills and computing power, who stole $20 million alone.
Remember this old twitter we posted? Guess how much these guys have in their wallets? Check out this wallet address https://t.co/t4qB17r97J $20,526,348.76, yes, you read it right, more then 20 Million US dollars https://t.co/SXHrdTcb6e
— 360 Netlab (@360Netlab) June 11, 2018
As the report noted “multiple groups” infiltrating Ethereum systems, the overall amount of stolen ETH remains unknown.
The 360 research team stated:
“If you have honeypot running on port 8545, you should be able to see the requests in the payload, which has the wallet addresses. Quite a few IPs scanning heavily on this port now.”
The culprit of this security error is the automated port 8584, which is installed by default on most Ethereum dApps and provides a “link” between the user system to the servers.
Unfortunately, as users do not conduct their due diligence before using software, Qihoo 360 expects the number of groups scanning for exposed ports to increase with time, subsequently leading to considerable financial losses for users.
As advice to its readership, BTCManager appeals you to carefully read the documentation of any installed Ethereum software, as well as using multiple security measures to ensure fund safety.
The RPC 101 – Understanding Port 8584
Ethereum applications are wholly decentralized in nature and make use of ports that relay data between servers of users. Only approved third-party applications or services are allowed to interact with the ports, mostly to retrieve data from the Ethereum application – such as a mining software, portfolio tracker, or wallet.
The RPC is the most crucial link in this system. It facilitates third-party application access to the user’s funds, private keys, and even personal information.
Due to its sensitive role, the RPC is disabled by default. Developers include warnings to not switch on the interface unless the user is fully secured by advanced firewalls, access control lists, or credible authentication systems. As an additional measure, developers configure RPCs to accepts requests only from local interfaces instead of the third party.
However, the report noted that experienced developers are increasingly tampering with Ethereum applications, augmenting function at the cost of user security. Additionally, users fail to carefully read the documentation and unknowingly install exposed applications – making them a prime target for attackers.
As reported by BTCManager in May 2018, the infamous Satori Botnet scanned the ecosystem for exposed Ethereum port 3333 from 17,000 independent I.P. addresses.