The operators of the Satori botnet are mass-scanning the Internet for exposed Ethereum mining rigs, according to three sources in the infosec community who’ve observed the malicious behavior —SANS ISC, Qihoo 360 Netlab, and GreyNoise Intelligence.
More precisely, crooks are scanning for devices with port 3333 exposed online, a port often used for remote management features by a large number of cryptocurrency-mining equipment.
Scans have been taking place for almost a week
The scans started on May 11, according to researchers from Netlab, the first to observe them, and the ones who tied their activity to the Satori botnet.
More details emerged a day later when GreyNoise analysts managed to demystify the scans and analyze the behavior on a compromised device.
GreyNoise says crooks were actively looking for equipment running the Claymore mining software.
“Once the attacker identifies a server running the Claymore software they push instructions to reconfigure the device to join the ‘dwarfpool’ mining pool and use the attacker’s ETH wallet,” GreyNoise says.
GPON routers used to scan and compromise mining rigs
GreyNoise also tied the scans to a group of IP addresses located in Mexico, on the networks two ISPs that just a few days earlier had thousands of GPON routers compromised and attacked by five different botnets.
Based on the current evidence, Satori, one of the five botnets, was using the GPON routers to scan for Claymore miners, deploy an exploit, and hijack the devices to mine Ethereum and Decred cryptocurrencies for the Satori operators.
Yesterday, Netlab researchers published a blog post confirming GreyNoise’s initial discovery.
“The source of this [port 3333] scan is about 17k independent IP addresses, mainly from Uninet SA de CV, telmex.com, located in Mexico,” Netlab said
More details emerged later in the evening, as Johannes B. Ullrich of SANS ISC also managed to identify the exploit used by the attackers, a remote code execution flaw (CVE-2018-1000049) affecting the Nanopool Claymore Dual Miner software, for which public proof-of-concept code exists online.
This is not the first time we’ve seen intense scans for Ethereum mining rigs. A similar wave of scans took place last November.