Hackers Stole Over $20 Million From Misconfigured Ethereum Clients
By Catalin Cimpanu
A group of hackers has stolen over $20 million worth of Ethereum from Ethereum-based apps and mining rigs, Chinese cyber-security firm Qihoo 360 Netlab reported today.
The cause of these thefts is Ethereum software applications that have been configured to expose an RPC interface on port 8545.
The purpose of this interface is to provide access to a programmatic API that an approved third-party service or app can query and interact or retrieve data from the original Ethereum-based service —such as a miner or wallet application that users or companies have set up for mining or managing funds.
Because of its role, this RPC interface grants access to some pretty sensitive functions, allowing a third-party app the ability to retrieve private keys, move funds, or retrieve the owner's personal details.
As such, this interface comes disabled by default in most apps, and is usually accompanied by a warning from the original app's developers not to turn it on unless properly secured by an access control list (ACL), a firewall, or other authentication systems.
Almost all Ethereum-based software comes with an RPC interface nowadays, and in most cases, even when turned on, they are appropriately configured to listen to requests only via the local interface (127.0.0.1), meaning from apps running on the same machine as the original mining/wallet app that exposes the RPC interface.
But across the years, developers have been known to tinker with their Ethereum apps, sometimes without knowing what they are doing.
This isn't a new issue. Months after its launch, the Ethereum Project sent out an official security advisory to warn that some of the users of the geth Ethereum mining software were running mining rigs with this interface open to remote connections, allowing attackers to steal their funds.
But despite the warning from the official Ethereum devs, users have continued to misconfigure their Ethereum clients across the years, and many have reported losing funds out of the blue, but which were later traced back to exposed RPC interfaces.
Scans for these ports have been silently going on for years but with cryptocurrency prices growing to record heights in 2017, multiple threat groups have joined the fold in search for easy money left exposed online.
One of the hugest spikes in scan activity was recorded last year, in November, when a threat actor started a massive scan of the entire Internet looking for Ethereum JSON RPC endpoints.
Those scans were successful, as that threat actor soon identified that a version of the Electrum wallet app was shipping with its JSON RPC enabled by default, allowing anyone access to users' funds if somebody knew where to look.
In May 2018, Satori —one of today's biggest IoT botnets— also started scanning for Ethereum miners that were left accidentally left exposed online.
Those attacks targeted devices running on port 3333, but for most of these applications, their default RPC interface resides on port 8545.
According to security experts from Qihoo 360 Netlab, at least one threat actor started mass-scans for port 8545, looking for Ethereum software left exposed online.
Those scans started in March, this year, and at that time, the attacker had made only around 3.96234 Ether (~$2,000-$3,000).
Revisiting that research today, the Netlab team says scans for port 8545 never stopped, but intensified as multiple groups joined the scanning activity, with one group alone being more successful than most, after managing to siphon over $20 million worth of Ether funds from exposed applications.
"If you have honeypot running on port 8545, you should be able to see the requests in the payload, which has the wallet addresses," the Netlab team says. "And there are quite a few IPs scanning heavily on this port now."
With a slew of tools to automate port 8545 scanning and hacking available on GitHub, intentionally opening your miner or wallet app service on port 8545 is financial suicide.
Nonetheless, with over $20 million stolen in the last few months just by one group, there are apparently lots of users who can't be bothered with reading their app's documentation before setting up an Ethereum wallet or mining rig.
Scans for port 8545 are only expected to go up, as this group's success will surely attract more threat actors looking for a quick buck.
Owners of Ethereum wallets and mining rigs are advised to review their Ethereum node's settings and make sure they're not exposing the RPC interface to external connections.
https://www.bleepingcomputer.com/new...ereum-clients/
[Reply]
Originally Posted by BWillie:
Oh yeah, just bitcoin? Your crypto studies have lead you to this conclusion?
I was just a few days ahead of the story :-)
==============================================
Bitcoin prices have been manipulated, study says
by Nathaniel Meyersohn @CNNMoneyInvest
June 13, 2018: 10:59 AM ET
http://money.cnn.com/2018/06/13/inve...pto/index.html
Bitcoin's remarkable run last year may have been smoke and mirrors.
Tether, another digital currency tied to the US dollar, was used to artificially inflate bitcoin prices, according a study released Wednesday by the University of Texas.
John Griffin, a finance professor at the university, and graduate student Amin Shams analyzed blockchain purchases and discovered that major Tether buys were timed to follow market downturns and helped stabilize bitcoin's floor.
"These patterns cannot be explained by investor demand," they said in the study.
Griffin and Shams have also recently found that the VIX, Wall Street's volatility index, was being manipulated.
A lawsuit filed in March cited their research to claim traders manipulated the value of VIX options and futures by making bets on the S&P 500 before VIX settlement auctions.
The price of bitcoin dropped 1% on Wednesday to around $6,485, according to CoinDesk. Bitcoin's slump drove down other cryptocurrencies, including ripple, litecoin, and ethereum.
Bitcoin continued reeling days after a massive hack in South Korea. On Monday, South Korea's Coinrail said that it had been hacked and about 30% of its virtual currencies were stolen. South Korea is one of the biggest markets for crypto trading in the world.
Related: Crypto hacks: Is your bitcoin investment safe?
Over the past month, bitcoin has lost 25% of its value.
Retail buyers flooded the market late last year, lifting bitcoin to above $19,000 in December. But it has fallen in recent months due to fears of stricter regulations and an absence of institutional investors coming in, said Jason Yanowitz, co-founder of blockchain advisory firm BlockWorks Group.
—CNNMoney's Daniel Shane contributed to this story.
https://www.bloomberg.com/news/artic...-boost-bitcoin
Cryptocurrencies
Tether Used to Manipulate Price of Bitcoin During 2017 Peak: New Study
By Matt Robinson and Matthew Leising
June 13, 2018, 2:02 AM MST Updated on June 13, 2018, 5:26 AM MST
Tether, one of the most-traded cryptocurrencies, shows a pattern of being spent on Bitcoin at pivotal moments, helping to drive the world’s first digital asset to a record price in December, according to research by a University of Texas professor known for flagging suspicious activity in the VIX benchmark.
“Tether seems to be used both to stabilize and manipulate Bitcoin prices,” finance professor John Griffin and co-author Amin Shams wrote in a paper released Wednesday.
Questions about Tether and Bitfinex have dogged the cryptocurrency world since last year, when Bitfinex lost banking relationships yet continued to operate. The U.S. Commodity Futures Trading Commission subpoenaed both firms in December, seeking proof that Tether is backed by a reserve of U.S. dollars, as it claims. Tether and Bitfinex haven’t been accused of wrongdoing.
“Bitfinex nor Tether is, or has ever, engaged in any sort of market or price manipulation,” Bitfinex Chief Executive Officer JL van der Velde said in an emailed statement. “Tether issuances cannot be used to prop up the price of Bitcoin or any other coin/token on Bitfinex.”
Read more: Bitfinex said to find Caribbean bank after Wells Fargo exit
Griffin and Shams -- in a paper titled “Is Bitcoin Really Un-Tethered?” -- set out to understand how the 2.5 billion Tether coins in existence have flowed through markets. While little public information exists about how Tether is created, it generally trades for around $1 because each coin is supposed to be backed by $1 of fiat money in a bank. The currency, which started trading in 2015, is pitched as a stable alternative to Bitcoin’s volatility, acting as a haven for crypto investors.
The data analyzed by the academics includes Bitcoin’s meteoric rise to a record high of almost $20,000 last December, before it crashed this year. It fell 1.4 percent Wednesday to $6,441.17, according to price data compiled by Bloomberg.
The analysis showed a pattern of Bitcoin price support, Griffin said. First, Tethers are created by the parent company Tether Ltd., often in large chunks such as 200 million. Almost all new coins then move to Bitfinex, he said. When Bitcoin prices drop soon after the issuance, Tethers at Bitfinex and other exchanges are used to buy Bitcoin “in a coordinated way that drives the price,” Griffin said in an interview.
“I’ve looked at a lot of markets,” he said. “If there’s fraud or manipulation in a market it can leave tracks in the data. The tracks in the data here are very consistent with a manipulation hypothesis.”
Griffin’s paper describes several patterns uncovered in a yearlong period. First it found that flows weren’t symmetric. When Bitcoin’s price fell, purchases with Tether tended to increase, helping to reverse the decline. But during times when Bitcoin rose, Griffin said he didn’t see the reverse occur. That’s “suggestive of Tether being used to protect Bitcoin prices during downturns,” he wrote.
Price Thresholds
He zeroed in on 87 of the largest purchases of Bitcoin with Tether from March 2017 to March 2018. In the cases examined, new Tether had been issued within the prior three days, and Bitcoin’s price had fallen in the prior hour. What followed were increases in Bitcoin’s price -- and those gains added up.
Even though the 87 examples account for less than 1 percent of the time period examined, they amounted to about 50 percent of Bitcoin’s compounded return over that year. In comparison, 10,000 simulations Griffin and Shams ran demonstrated “that this behavior never occurs randomly,” they wrote.
Griffin said one of the most notable trends he saw in the data was when Bitcoin traded near certain price thresholds, denominated in $500 increments.
Bitcoin purchases with Tether “strongly increase just below multiples of 500. This pattern is only present in periods following printing of Tether and not observed by other exchanges,” he wrote in the paper. To other investors, it gives the impression of a “price floor,” providing a signal for them to buy as well.
“If it was random behavior you wouldn’t see it cluster around the thresholds,” he said in the interview. “It indicates it’s a conscious strategy to provide price support.”
VIX Study
Tether and Bitfinex share a management team, including van der Velde. Little is known about how the businesses cooperate or stay separate. Griffin said his research found “barely any flows moving back to the initial Tether printing node.”
His observations come as the global cryptocurrency market faces mounting scrutiny from U.S. authorities.
The Justice Department is said to be conducting a criminal probe into whether traders are using a variety of techniques to manipulate Bitcoin and other digital assets. One of the lead enforcers at the Securities and Exchange Commission told members of Congress last month that initial coin offerings, or ICOs, are now among the “greatest threats” to mom-and-pop investors and that the agency has dozens of active investigations. ICOs are a new form of raising money where startups sell digital tokens to investors much like a company sells shares to investors.
Read more about the University of Texas VIX research
Griffin has pointed to alleged funny business in financial markets before. Last month, Bloomberg reported that the SEC and CFTC opened investigations into allegations that Cboe Global Markets Inc.’s widely used VIX benchmark is being manipulated, people familiar with the matter said at the time. Griffin’s 2017 paper, written with a grad student, caught traders’ attention for spotlighting potential manipulation of the VIX. The Cboe has called his conclusions incorrect.
His latest research topic has similar wide-ranging implications, he said.
“The hype in cryptocurrency isn’t just 20-year-olds buying Bitcoin in their garage -- that’s part of it -- but there are big players moving the market and having a huge price impact,” Griffin said.
— With assistance by Will Mathis
[Reply]