Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercriminals Steal Cryptocurrency Via BGP Hijacking

Cybercriminals Steal Cryptocurrency from Mining Pools Via BGP Hijacking

Over the course of four months, threat actors managed to make tens of thousands of dollars by redirecting the connections of cryptocurrency miners to mining pools they control, the research team at Dell SecureWorks’ Counter Threat Unit reported on Thursday.

Cybercriminals Steal Cryptocurrency from Mining Pools Via BGP Hijacking

Over the course of four months, threat actors managed to make tens of thousands of dollars by redirecting the connections of cryptocurrency miners to mining pools they control, the research team at Dell SecureWorks’ Counter Threat Unit reported on Thursday.

According to researchers, the attackers compromised 51 pools at a total of 19 hosting companies, including Amazon, Digital Ocean, OVH, ServerStack, EGIHosting, Choopa, LeaseWeb and B2 Net Solutions.

The attacks leveraged the Border Gateway Protocol (BGP), an external routing protocol that connects networks on the Web. BGP prevents malicious networks from hijacking traffic because both ends of networks linked via this protocol must be configured manually in order to communicate properly.

BGP Hijacking The threat actors used bogus BGP broadcasts to redirect traffic to the their own server, Dell said. Under normal circumstances, cryptocurrency miners connect to pool servers from which they receive instructions and rewards. However, by using bogus BGP announcements, the attackers managed to direct the miners’ traffic to their own pools. The redirected miners continue to receive instructions and carry on their tasks, but no longer receive rewards.

Members of cryptocurrency forums first reported seeing malicious activity on March 22, but Dell researchers have determined that the attacks started as early as February 3.

By looking at some of the cryptocurrency addresses associated with the hijacker, Dell has determined that between February and late May the cybercriminals had managed to make a profit of approximately $83,000 in Bitcoin, Dogecoin, HoboNickels, and Worldcoin. Researchers say there’s a strong indication that that other currencies have also been targeted.

Experts traced the attack to a single router hosted by an ISP in Canada. An upstream ISP has been notified and the operation has been disrupted, but the company hasn’t provided Dell with any details regarding the source of the malicious activity. Researchers believe that this could have been the work of an individual working for the ISP, or a former employee who still has access to the company’s systems. The third possibility is that a malicious hacker somehow managed to compromise the router to which the BGP announcements were traced.

There are several mitigations that can be used to prevent such attacks. For example, ISPs can use the Resource Public Key Infrastructure (RPKI) service, which enables them to choose which of their IP address prefixes can originate from specified autonomous systems (AS). On the other hand, the administrators of pool servers can require miners to use the Secure Socket Layer (SSL) protocol and server certificate validation.

Advertisement. Scroll to continue reading.

“BGP peering requires that both networks be manually configured and aware of one another. Requiring human interaction for proper configuration makes BGP peering reasonably secure, as ISPs will not peer with anyone without a legitimate reasonl,” Pat Litke and Joe Stewart of the Dell SecureWorks Counter Threat Unit explained in a blog post. “These hijacks and miner redirections would not have been possible without peer-to-broadcast routes. Although BGP hijacking is possible, the overall threat is minimal.”

Stewart presented the research on Thursday at the Black Hat USA 2014 conference taking place this week in Las Vegas.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.