Crypto-currency miners represent an easy solution when it comes to taking advantage of a system’s computing power to earn some money, but can result in no gain if the mined coins are going to someone else’s wallet.
In a recent example of how users could end up with no cash despite putting their computers to work, Ethereum-mining farms are at the receiving end of an attack involving a hijacker that simply attempts to replace the user’s wallet with an unknown actor’s.
The attack takes advantage of the increased popularity emerging crypto-currencies such as Monero and Ethereum have seen lately. First spotted on Monday, the attack relies on changing the default configuration of Ethereum-miners to hijack the funds, Bitdefender’s threat analyst Bogdan Botezatu reveals.
The attackers are specifically targeting EthOS, an operating system optimized for Ethereum mining, but also capable of mining Zcash, Monero, and other crypto-currencies that rely on GPU power. The platform is said to run on more than 38,000 mining rigs across the world at the moment and to arrive pre-loaded with all the necessary tools, as well as with a default username and password.
After deployment, the user simply needs to add their own wallet for mining fees and to change the default username and password. Systems where the default credentials haven’t been changed are those targeted in the newly discovered attack.
“The bot scans for the entire IPv4 range and looks for open SSH connections. If found, it attempts to log in using the default username and password to the EthOS operating system: ethos:live and root:live,” Botezatu explains.
Should the login be successful, the bot then attempts to change the existing configuration for Ethereum and hijack the mining process so that the funds are sent to the attacker’s Ethereum address. The security researchers discovered that the attackers’ wallet had already received 10 transactions over a couple of days, worth a total of $611 in Ether.
“So, if you are running an Ether Miner based on Ethereum OS, make sure you have changed the default login credentials. If you haven’t done so, now would be a good time to check whether the miner is sending money to you, not hackers,” Botezatu concludes.
Related: Seoul Says North Korean Hackers Tried to Steal Bitcoins: Yonhap
Related: Hacker Steals $8.4 Million in Ethereum from Veritaseum