The holiday season has begun (for hackers too) Watch Now

Hackers have set off in motion a massive campaign that scans for Internet-exposed Ethereum wallets and mining equipment, ZDNet has learned today.

The mass-scan campaign has been raging for at least a week, since December 3, Troy Mursch, co-founder of Bad Packets LLC told ZDNet.

Attackers are scanning for devices with port 8545 exposed online. This is the standard port for the JSON-RPC interface of many Ethereum wallets and mining equipment. This interface is a programmatic API that locally-installed apps and services can query for mining and funds-related information.

Also: Adobe releases out-of-band security update for newly discovered Flash zero-day

In theory, this programmatic interface should be only exposed locally, but some wallet apps and mining equipment enable it on all interfaces. Furthermore, this JSON-RPC interface, when enabled, also does not come with a password in default configurations and relies on users setting one.

If the Ethereum wallet or mining equipment has been left exposed on the Internet, attackers can send commands to this powerful interface to move funds from the victim's Ethereum addresses.

However, the problem with port 8545 isn't new. Back in August 2015, the Ethereum team sent out a security advisory to all Ethereum users about the dangers of using mining equipment and Ethereum software that exposes this API interface over the Internet, recommending that users take precautions by either adding a password on the interface, or using a firewall to filter incoming traffic for port 8545.

Many mining rig vendors and wallet app makers have taken precautions to limit port 8545 exposure, or have removed the JSON-RPC interface altogether. Unfortunately, this wasn't an industry-concerted effort, and many devices are still exposed online.

But despite warnings from the Ethereum team, many users have failed to check Ethereum clients about this issue.

While initially this wasn't such a big hassle, as Ethereum's price grew to new heights, so did scans and attacks against exposed Ethereum clients. Massive scans targeting port 8545 have been reported in November 2017, January 2018, May 2018, and June 2018.

Chinese cyber-security firm Qihoo 360 Netlab said that one particular group behind these scans stole Ethereum worth over $20 million, at June 2018's exchange rate.

All the aforementioned scans had one thing in common, and that's the fact that Ethereum's price had skyrocketed to never-before-seen heights during those periods, reaching a whopping $1,377 in January 2018.

Must read

But the scans that have been taking place over the past week aren't taking place during an Ethereum price surge, the currency being valued today at $90, a low that Ethereum hasn't seen since May 2017.

"Despite the price of cryptocurrency crashing into the gutter, free money is still free, even if it's pennies a day," Mursch told ZDNet in an interview earlier today.

According to a chart Mursch shared with ZDNet, the scan activity tripled, when compared to last month.

Image: Troy Mursch

The same tripling of scan activity can also be seen in a public chart based on honeypot data from the ISC SANS project and another chart shared by ZeroBS, a German data security company.

Source: Screengrab from ISC SANS website

Image: ZeroBS

A quick Shodan search shows that nearly 4,700 devices --most of which are Geth mining equipment and Parity wallets-- are currently exposing their 8545 port.

Furthermore, there are also free tools available for exploiting and automating scans and attacks on Ethereum clients via port 8545.

The Ethereum exchange rate might be down, but that doesn't mean the cryptocurrency is worthless. Users should take this article as a warning and make changes to their mining equipment or wallet's configurations before they find they've been robbed overnight.

Related stories: