Cybercriminals Steal Cryptocurrency from Mining Pools Via BGP Hijacking
Over the course of four months, threat actors managed to make tens of thousands of dollars by redirecting the connections of cryptocurrency miners to mining pools they control, the research team at Dell SecureWorks’ Counter Threat Unit reported on Thursday.
According to researchers, the attackers compromised 51 pools at a total of 19 hosting companies, including Amazon, Digital Ocean, OVH, ServerStack, EGIHosting, Choopa, LeaseWeb and B2 Net Solutions.
The attacks leveraged the Border Gateway Protocol (BGP), an external routing protocol that connects networks on the Web. BGP prevents malicious networks from hijacking traffic because both ends of networks linked via this protocol must be configured manually in order to communicate properly.
The threat actors used bogus BGP broadcasts to redirect traffic to the their own server, Dell said. Under normal circumstances, cryptocurrency miners connect to pool servers from which they receive instructions and rewards. However, by using bogus BGP announcements, the attackers managed to direct the miners’ traffic to their own pools. The redirected miners continue to receive instructions and carry on their tasks, but no longer receive rewards.
Members of cryptocurrency forums first reported seeing malicious activity on March 22, but Dell researchers have determined that the attacks started as early as February 3.
By looking at some of the cryptocurrency addresses associated with the hijacker, Dell has determined that between February and late May the cybercriminals had managed to make a profit of approximately $83,000 in Bitcoin, Dogecoin, HoboNickels, and Worldcoin. Researchers say there’s a strong indication that that other currencies have also been targeted.
Experts traced the attack to a single router hosted by an ISP in Canada. An upstream ISP has been notified and the operation has been disrupted, but the company hasn’t provided Dell with any details regarding the source of the malicious activity. Researchers believe that this could have been the work of an individual working for the ISP, or a former employee who still has access to the company’s systems. The third possibility is that a malicious hacker somehow managed to compromise the router to which the BGP announcements were traced.
There are several mitigations that can be used to prevent such attacks. For example, ISPs can use the Resource Public Key Infrastructure (RPKI) service, which enables them to choose which of their IP address prefixes can originate from specified autonomous systems (AS). On the other hand, the administrators of pool servers can require miners to use the Secure Socket Layer (SSL) protocol and server certificate validation.
“BGP peering requires that both networks be manually configured and aware of one another. Requiring human interaction for proper configuration makes BGP peering reasonably secure, as ISPs will not peer with anyone without a legitimate reasonl,” Pat Litke and Joe Stewart of the Dell SecureWorks Counter Threat Unit explained in a blog post. “These hijacks and miner redirections would not have been possible without peer-to-broadcast routes. Although BGP hijacking is possible, the overall threat is minimal.”
Stewart presented the research on Thursday at the Black Hat USA 2014 conference taking place this week in Las Vegas.