A group of hackers stole more than $20 million in Ethereum, using the vulnerability of applications and mining farms, according to Chinese developer of anti-virus software Qihoo 360 on Monday. Hacking was possible due to the fact that certain Ethereum applications were configured in such a way as to display the RPC interface on port 8545.
The RPC (Remote Procedure Call Protocol) interface is used to provide access to programmable APIs that third-party services and applications can interact with or receive data from an original Ethereum-based service, including the wallets used by the miners and other users.
Due to its designation, the RPC interface is able to provide access to some vulnerable functions, including the transfer of private keys, the transfer of funds, etc. Usually it is accompanied by a warning from the original developer about the inadmissibility of its activation without the necessary protection.
Almost all software on the basis of Ethereum now comes with an RPC interface and in most cases uses the correct configuration, which allows to interact only with local requests, that is, sent applications running on the same device.
The creators of Ethereum paid attention to the requirements for the use of the RPC interface in 2015 soon after the launch of its main network. Despite this, some users continue to experiment with the software, often not realizing what vulnerabilities are revealed by their actions.
Scanning the network in the search for open interfaces has been going on for several years, but it has become particularly active last year amid a rapid rise in the rates of cryptocurrency. Quite often, attackers sought what they wanted, in particular, when they discovered the version of the popular Electrum wallet that gave private keys to anyone who knew about this vulnerability. In May 2018, one of the largest existing botnets Satori joined to scan the network in search of open RPC interfaces.
Specialists from Qihoo 360 Netlab reported that at least one hacker was looking for unprotected RPC interfaces output on port 8545 in March of this year, while before that most of the attacks were connected to port 3333. At the time of the first message, the total user loss misconfigured customers were valued at 3,96234 ETH ($2,000 – $3,000).
According to the latest Netlab report, all this time, attackers not only actively scanned the network, but also significantly increased their own resources, and therefore the total losses from this type of attack already exceeded $20 million.
“If you set a trap on port 8545, you’ll find queries containing purse addresses,” Netlab writes. “A fairly large number of IP addresses are engaged in scanning this port.”
Tools for scanning port 8545 are abundantly represented on GitHub, so deliberate disclosure of miners or wallets on it is tantamount to voluntary transfer of cryptocurrency to attackers, Bleeping Computer notes. Nevertheless, Netlab data indicate that many users do not pay enough attention to the problem, and the activity for scanning port 8545 will only gain momentum.