Hackers to Steal Over $20M From Misconfigured ETH Clients

Attackers used the an RPC [Remote Procedure Call] interface on port 8545
12 June 2018   919

A group of hackers stole more than $ 20M worth ETH from wallets and minning apps based on the same-named blockade. This is reported by CoinDaily.

The attackers used Ethereum software applications that were configured to provide access to the RPC (remote procedure call) interface on port 8545.

This interface is used to access a software API that approved third-party services or applications may request the receipt of data from the source service, for example, applications for storing funds received from mining.

The RPC interface is able to provide access to some important functions, allowing a third-party application to view private keys and personal user data, and conduct transactions.

By default, it is disabled in most applications, and developers warn of the potential danger of launching it if it is not properly protected by the ACL (access control list), firewall, or other authentication systems.

Nowadays, almost all Ethereum-based software comes with an RPC interface, and in most cases, even when turned on, they are appropriately configured to listen to requests only via the local interface (127.0.0.1), meaning from apps running on the same machine as the original mining/wallet app that exposes the RPC interface.

Despite the warning of official developers, users continued to use misconfigured Ethereum clients for years. Many of them reported a loss of funds through an open RPC interface.

The scanning of these interfaces lasted for many years, but intensified with the rise in prices for cryptocurrencies. One of the biggest surges of scanning activity was registered in November last year.

The attacks were successful, as the victims soon discovered that the version of the Electrum Wallet application comes with RPC JSON, enabled by default, which makes it easy to access user tools.

According to security experts, at least one case of a massive scan of port 8545 was recorded in search of the software left on the Ethereum network.

Since March of this year, when these scans began, the attacker was able to get about 3,96234 Ethereum (about $ 2-3 thousand).

After analyzing the data of our own observations, the Netlab team concluded that the scan of port 8545 never ceased, intensified when several groups joined it. One of them turned out to be more effective than the others, assigning more than $ 20 million from Ethereum to open applications.

Satori, one of the world's largest IoT botnets, in May 2018, also began scanning for Ethereum's open air miners.

Constantinople to be Postponed

Ethereum's hardfork will be late due to critical vulnerability found
16 January 2019   79

A scheduled upgrade of the Ethereum network called Constantinople was postponed indefinitely after a critical vulnerability was discovered in one of the improvements, CoinDesk reports.

This is a vulnerability in EIP-1283, which, as identified by the audit company SmartSecurity smart contracts, gave hackers the opportunity to steal user funds.

During a video conference on Tuesday with the participation of Ethereum developers and other clients and projects working on the network, it was decided to temporarily postpone the activation of the hard forks.

In particular, Vitaly Buterin, developers Hudson Jameson, Nick Johnson and Evan van Ness, as well as release manager of Parity Afri Shoedon took part in the meeting. Discussing the revealed vulnerability, they agreed that it would be impossible to eliminate it before the appointed time for hardfork (around 04:00 UTC on January 17).

A vulnerability, called a reentrancy attack, allows an attacker to repeatedly enter the same function and infinitely withdraw funds.

Imagine that my contract has a function which makes a call to another contract… If I’m a hacker and I’m able to trigger function a while the previous function was still executing, I might be able to withdraw funds.
 

Joanes Espanol

CTO, blockchain analytics firm Amberdata

According to him, this is a lot like the vulnerabilities that were discovered in The DAO in the summer of 2016.

Representatives of ChainSecurity also noted that up to the Constantinople hard fork, data storage on the network cost 5,000 units of gas, which exceeds the 2,300 gas usually needed to call the “transfer” and “send” functions. After the upgrade, “dirty” storage operations will cost 200 units of gas, and an attacking contract can use 2,300 gas to successfully manipulate the variables of vulnerable contracts.

New date of hardfork not yet determined.