Hackers exploit major internet security hole to steal $83,000 in bitcoin from mining pools
It’s reminiscent of a Hollywood thriller. Dell SecureWorks researchers have identified a massive hacking effort that redirected the Internet traffic of some 19 Internet Service Providers (ISPs) to steal tens of thousands of dollars in bitcoin from a handful of mining pools. The story, first reported by Wired, is sadly entirely non-fiction and the exploit that the hacker used is not some sophisticated new zero day attack, but rather one that security pros have been aware of for several decades.
The source of the attack is unknown, but the central point of failure appears to be an as yet unnamed Canadian ISP that the thief used to broadcast spoofed commands and redirect traffic from more than a dozen other ISPs. The network targets included Amazon, as well as hosting services DigitalOcean and OVH, among others. But the real victims in this tale are the bitcoin mining pools that had their computational efforts co-opted and the proceeds of this labor rerouted to a private pool controlled by the hacker.
Those most impacted by the attack were miners who left their rigs unattended for days or weeks at a time, making it less likely that they would notice missing payouts or any other signal that something was amiss. Then again, the attack could have been thwarted by the mining pool servers using the Secure Socket Layer (SSL) protocol, Dell argues.
The hackers used an attack vector called a border gateway protocol, or BGP hijack in which the attacker alters the routing instructions that govern Internet traffic between networks. Security professionals first became aware of this exploit in 1998 and over the years have seen several examples of its impact.
In 2008, in an attempt to censor objectionable YouTube traffic, Pakistan accidentally hijacked all of the world’s YouTube traffic through its servers. Later that year it was called “The Internet’s Biggest Security Hole” by a group of presenters at the famed DefCon security conference. Then in 2010 a few thousand bad IP addresses in China meant that China Telecom diverted 15 percent of all Internet traffic across its network for 18 minutes. And last year a portion of all US internet traffic was rerouted to Iceland and Belarus – according to some, by Chinese government agencies. Each of the above incidents was explained away as unintentional and determined to have resulted in no permanent impact. But they nonetheless mean we should have been more prepared for this type of attack.
This latest BPG hijack scam was not so innocent. The attack is said to have grown to generate as much as $9,000 worth of bitcoin and other altcoins per day at its peak, amounting to a minimum of $83,000 between February and May 2014 – although the number could be larger as researchers only collected data on the attack for a portion of this time. Given the specificity of the attack, which was directed squarely at virtual currency mining pools, it was obviously not a mistake.
“We’re going to see other events like this,” Dell’s Joe Stewart tells Wired. “It’s ripe for exploitation.” The SecureWorks report echoes this sentiment, stating, “Every network administrator should prepare for the risk of narrowly-focused, malicious BGP hijacking incidents.”
Given the potential for harm, this attack was relatively small scale – although researchers acknowledge that there could have been more activity that they didn’t observe. But despite its modest impact, this is the latest in what is becoming a lengthy list of incidents that underscore the importance of developing a fix for BGP hijack attacks.
As crypto-currencies become more and more valuable and the mining and use of these digital assets permeates the mainstream, they become a more attractive and easier target for enterprising criminals. In a perverse sense, it’s somewhat flattering that the cryptocurrency industry, rather than mainstream banking, is the target of these attacks. But more practically, it just means these miners are out $83,000. Worst of all, it could have all been avoided.
[Image via TechTalktoMe]