Note: Slowmist is a blockchain security startup based in Xiamen. Last month, the team revealed an Ethereum defect named “Black Valentine”. The live summary is still counting now.

Recently, SlowMist Security Team observed an automated piracy attack. The hacker used the authentication flaw of Ethereum node’s Geth/Parity RPC API to maliciously steal tokens via eth_sendTransaction. The attack lasted for about two years, the value of the stolen Ethereum (which has not yet been transferred) is around $20 million in total. In addition to that, there are also 164 types of tokens involved, and the total value of which is difficult to estimate (many tokens have not yet been officially issued on the exchange). The details are as shown below:

Attack Process

SlowMist Security Team integrated the Victim details, Reddit Information and Honeypot Log Analysis, backtrack the reasons of this Attack could be as follows:

Global scanning of open Ethereum nodes such as port 8545 (HTTP JSON RPC API) and port 8546 (WebSocket JSON RPC API), sending eth_getBlockByNumber, eth_accounts, eth_getBalance, traversing block height, wallet address, and balance.

Repeatedly call eth_sendTransaction for trying to transfer the balance to the attacker’s wallet.

When the node user happens to execute unlockAccount on his wallet, he does not need to reenter the password to sign the transaction during the duration period. At this time, the attacker’s eth_sendTransaction call will be executed correctly, and the balance would be transferred into the attacker’s wallet.

Reference: personal_unlockAccount

Decrypts the key with the given address from the key store.

Both passphrase and unlock duration are optional when using the JavaScript console. If the passphrase is not supplied as an argument, the console will prompt for the passphrase interactively.

The unencrypted key will be held in memory until the unlock duration expires. If the unlock duration defaults to 300 seconds. An explicit duration of zero seconds unlocks the key until geth exits.

Detail: https://github.com/ethereum/go-ethereum/wiki/Management-APIs#personal_unlockaccount

Attacking Timeline

We conducted a detailed analysis of the attacker’s wallet address on Etherscan and consolidated the following main attacking timeline:

2016/02/14 03:59:14 PM The first time IN (credit), this day is Valentine’s Day

2016/02/16 06:33:30 PM Second IN, two days later, assuming that the automated attack program is online for the first time

2016/05/19 07:46:33 PM First time OUT (OUT), a total number of 51 IN

2016/07/20 06:35:57 PM The second OUT, at this time a total number of 57 IN

2017/05/11 06:34:35 PM Shapeshift (a well-known exchange) of 7 IN, lasting for 71 days

2017/06/10 02:39:53 AM OUT for the last time, a total number of 207 IN at this time

2017/06/21 07:46:49 AM f2pool (well-known pool) of 36 IN, lasting for 4 hours

This tracking of timeline can assist in analyzing the attacker’s behavior.

Influence

Through the SlowMist Security Team’s unique MOOZ system, we scanned about 4.2 billion IPv4 spaces globally and discovered that there are more than 10,000 Ethereum nodes exposed on the public network with the RPC API enabled. All these nodes have a high risk of direct piracy attacks.

Counter Measures

Change the default RPC API port, The configuration method is: –rpcport 8377 or –wsport 8378

Change the RPC API listen address to Intranet. The configuration method is: –rpcaddr 192.168.0.100 or –wsaddr 192.168.0.100

Configure iptables to restrict access to the RPC API port. For example, only 192.168.0.101 is allowed to access port 8545:

iptables -A INPUT -s 192.168.0.101 -p TCP –dport 8545 -j ACCEPT

iptables -A INPUT -p TCP –dport 8545 -j DROP

iptables -A INPUT -s 192.168.0.101 -p TCP –dport 8545 -j ACCEPT iptables -A INPUT -p TCP –dport 8545 -j DROP The keystore should not be stored on the node (because the account is not on the node, unlockAccount will not be used)

Any transaction that uses web3’s sendTransaction and sendRawTransaction to send a private key signed transaction

Private key physical isolation (such as cold wallets, manual transcriptions) or high-strength encrypted storage and security keys

Summary

Through the investigation of this attack and the complete analysis of attack techniques, we are increasingly aware that cyberspace follows the rules of dark forests. This rule is described in the science fiction novel “The Three-Body Problem”: “The universe is a dark forest. Every civilization is a hunter with a gun, sneaking like a ghost in the woods, gently clear out the road covered by branches, trying not to make noise by the steps, even breathing must be careful. He must be very careful, because there are sneaking hunters everywhere in the forest just like him, If he discovers the others and there is only one thing left he can do, that is to shoot the others.”

We have carefully analyzed all the details of this two-year’s attack and which now is still active. If we are the attackers, we can easily steal tens of thousands, even millions of digital assets worldwide through a script project.

Special attention to the attacker’s tactics, not sure if you have noticed, that their first step in the attack is to use eth_getBlockByNumber to get the block height. The details are: eth_getBlockByNumber(“0x00”, false). If the block height is not up-to-date, then this call will give an error. Then there is no execution of the query operations such as wallet address and balance, because the balance is inaccurate, so the final step of the transfer operation can not be completed. The design behind this attack logic is a aestheticization of violence for this scenario.

From the “Attacking Timeline” mentioned above, the attackers are actually quite unusual. This latent attack occurred before in the first well-known hacker attack, ‘The DAO’ event in the Ethereum history (2016/06/17), at which time the Ethereum technology was officially recognized by the market. It can be assumed that the attacker was a very early Ethereum researcher and knew quite well about hacking engineering techniques. The attackers continued to optimize this project during the actual combat.

We further analyzed the functions of the RPC API related modules and discovered some potential security risks that also need to be aware of. For example, if the RPC API has the personal module enabled, attackers can use the private_unlockAccount method to access the account password. If succeed, they can easily unlock + transfer money at the same time. If the miner module is enabled in the RPC API, the mining wallet address can be modified using the miner_setEtherbase method.

During the whole-network detection of our MOOZ system, we found that the RPC API modules opened by Ethereum nodes exposed on the public network are not the same. This provides different conditions for more complex attacks.

From the perspective of defense analysis, we also found that the logging mechanism of Geth is incomplete, which cannot record the source IP of RPC API requests (the configuration –debug and –verbosity 5 are invalid), resulting in difficulties in tracing the attacker’s IP address on the Ethereum nodes that have been directly attacked.

Although the structure of Ethereum itself has stood the test, safety is a whole. Through this attack, we can see some security flaws in Ethereum ecosystem. Some security flaws may be considered as a mechanism that requires the attention of users, but the threshold is too high for users. The security of a high threshold will be more vulnerable to such a big attack.

Finally, we hope this article will call more attention to the security in this ecosystem.