Connect with us

Hi, what are you looking for?


Malware & Threats

SSH-based Hijacker Targeting Ethereum Miners

Crypto-currency miners represent an easy solution when it comes to taking advantage of a system’s computing power to earn some money, but can result in no gain if the mined coins are going to someone else’s wallet.

Crypto-currency miners represent an easy solution when it comes to taking advantage of a system’s computing power to earn some money, but can result in no gain if the mined coins are going to someone else’s wallet.

In a recent example of how users could end up with no cash despite putting their computers to work, Ethereum-mining farms are at the receiving end of an attack involving a hijacker that simply attempts to replace the user’s wallet with an unknown actor’s.

The attack takes advantage of the increased popularity emerging crypto-currencies such as Monero and Ethereum have seen lately. First spotted on Monday, the attack relies on changing the default configuration of Ethereum-miners to hijack the funds, Bitdefender’s threat analyst Bogdan Botezatu reveals.

The attackers are specifically targeting EthOS, an operating system optimized for Ethereum mining, but also capable of mining Zcash, Monero, and other crypto-currencies that rely on GPU power. The platform is said to run on more than 38,000 mining rigs across the world at the moment and to arrive pre-loaded with all the necessary tools, as well as with a default username and password.

After deployment, the user simply needs to add their own wallet for mining fees and to change the default username and password. Systems where the default credentials haven’t been changed are those targeted in the newly discovered attack.

“The bot scans for the entire IPv4 range and looks for open SSH connections. If found, it attempts to log in using the default username and password to the EthOS operating system: ethos:live and root:live,” Botezatu explains.

Should the login be successful, the bot then attempts to change the existing configuration for Ethereum and hijack the mining process so that the funds are sent to the attacker’s Ethereum address. The security researchers discovered that the attackers’ wallet had already received 10 transactions over a couple of days, worth a total of $611 in Ether.

Advertisement. Scroll to continue reading.

“So, if you are running an Ether Miner based on Ethereum OS, make sure you have changed the default login credentials. If you haven’t done so, now would be a good time to check whether the miner is sending money to you, not hackers,” Botezatu concludes.

Related: Seoul Says North Korean Hackers Tried to Steal Bitcoins: Yonhap

Related: Hacker Steals $8.4 Million in Ethereum from Veritaseum

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...