The operators of the Satori botnet are mass-scanning the Web for uncovered Ethereum mining rigs, in line with three sources within the infosec neighborhood who've noticed the malicious conduct —SANS ISC, Qihoo 360 Netlab, and GreyNoise Intelligence.
Extra exactly, crooks are scanning for units with port 3333 uncovered on-line, a port typically used for distant administration options by numerous cryptocurrency-mining tools.
Scans have been going down for nearly per week
The scans began on Could 11, in line with researchers from Netlab, the primary to look at them, and those who tied their exercise to the Satori botnet.
Do you see port 3333 scan site visitors going up? Satori botnet is scanning it now, see our Scanmon pattern https://t.co/TyrL4ryt6J, and check out a dns lookup for one of many management area it’s utilizing now, dig any https://t.co/DM4JTtXFo3, I personally like yesterday's TXT end result extra pic.twitter.com/xXUjwjZNdD
— 360 Netlab (@360Netlab) May 11, 2018
Extra particulars emerged a day later when GreyNoise analysts managed to demystify the scans and analyze the conduct on a compromised gadget.
GreyNoise says crooks had been actively in search of tools working the Claymore mining software program.
GreyNoise noticed a big spike of TCP port 3333 scan site visitors at present. That is the default port for the "Claymore" twin Ethereum/Decred cryptocurrency miner. pic.twitter.com/5g6vVbPLNq
— GreyNoise Intelligence (@GreyNoiseIO) May 11, 2018
"As soon as the attacker identifies a server working the Claymore software program they push directions to reconfigure the gadget to affix the 'dwarfpool' mining pool and use the attacker's ETH pockets," GreyNoise says.
GPON routers used to scan and compromise mining rigs
GreyNoise additionally tied the scans to a gaggle of IP addresses positioned in Mexico, on the networks two ISPs that just some days earlier had 1000’s of GPON routers compromised and attacked by five different botnets.
Primarily based on the present proof, Satori, one of many 5 botnets, was utilizing the GPON routers to scan for Claymore miners, deploy an exploit, and hijack the units to mine Ethereum and Decred cryptocurrencies for the Satori operators.
Yesterday, Netlab researchers printed a blog post confirming GreyNoise's preliminary discovery.
"The supply of this [port 3333] scan is about 17ok unbiased IP addresses, primarily from Uninet SA de CV, telmex.com, positioned in Mexico," Netlab mentioned
Extra particulars emerged later within the night, as Johannes B. Ullrich of SANS ISC additionally managed to identify the exploit utilized by the attackers, a distant code execution flaw (CVE-2018-1000049) affecting the Nanopool Claymore Dual Miner software program, for which public proof-of-concept code exists on-line.
This isn’t the primary time we've seen intense scans for Ethereum mining rigs. An analogous wave of scans happened last November.