A group of hackers stole over $20 million USD worth of Ethereum from Ethereum-based apps and mining rigs, Chinese cyber-security firm Qihoo 360 Netlab reported.
The cause of these thefts is Ethereum software applications that have been configured to expose an RPC [Remote Procedure Call] interface on port 8545.
The purpose of this interface is to provide access to a programmatic API that an approved third-party service or app can query and interact or retrieve data from the original Ethereum-based service, such as a mineror wallet application that users or companies have set up for mining or managing funds.
This RPC interface grants access to some pretty sensitive functions, allowing a third-party app the ability to retrieve private keys, move funds or retrieve the owner's personal details.
This interface comes disabled by default in most apps, and is usually accompanied by a warning from the original app's developers not to turn it on unless properly secured by an access control list (ACL), a firewall, or other authentication systems.
Almost all Ethereum-based software comes with an RPC interface nowadays, and in most cases, even when turned on, they are appropriately configured to listen to requests only via the local interface, meaning from apps running on the same machine as the original mining app that exposes the RPC interface.
This isn't a new problem. Months after its launch, the Ethereum Project sent out an official secutrity advisory to warn that some of the users of the Ethereum-based software were running mining rigs with this interface open to remote connections, allowing attackers to steal their funds.
Despite the warning from the official Ethereum developers, users have continued to misconfigure their Ethereum clients. Many have reported losing funds out of the blue, but they were later traced back to exposed RPC interfaces.
Scans for these ports have been silently going on for years, but with cryptocurrency prices growing to record heights in 2017 and 2018, multiple hacking groups have joined in search for easy money left exposed online.
One of the highest spikes in scan activity was recorded last November, when somebody started a massive scan of the entire internet looking for Ethereum JSON RPC endpoints.
Those scans were successful, as that hacker identified that a version of the Electrum wallet app was shipping with its JSON RPC enabled by default, allowing anyone access to users' funds if somebody knew where to look.
In May 2018, Satori _ one of today's biggest IoT botnets _ also started scanning for Ethereum miners that were left accidentally left exposed online.
Those scans started in March of this year, and at that time, the attacker had made only around 3.96234 Ether (between $2,000 and $3,000 USD).
When reviewing that research nowadays, the Netlab team says scans for port 8545 never stopped, but intensified as multiple groups joined the scanning activity, with one group alone being more successful than most, after managing to steal over $20 million worth of Ether funds from exposed applications.
With over $20 million stolen in the last few months just by one group, there are lots of users who started to pay attention in their app's documentation before setting up an Ethereum wallet or mining rig.
Owners of Ethereum wallets and mining rigs are advised to review their Ethereum node's settings and make sure they're not exposing the RPC interface to external connections.
Por Antonio Menéndez
Sources: Coincrispy and Diario Bitcoin