Port 8545 and Ethereum Wallets, A Very Bad Combination
Ethereum has for quite a while became a compelling alternative to Bitcoins. With a much lower price, easier to mine (as the hashes are not yet as complex as Bitcoin) and easier in system resources, it became very popular. However, the biggest problem with cryptocurrency, in general, is not the underlying technology for which it runs (blockchain), but rather the exchange points where people trade real currency to cryptocurrency using their crypto wallet.
This is exactly what happens to Ethereum, where port 8545 was used for exposing some Ethereum wallets to the public Internet without the knowledge of its owners. The auto scan of Ethereum wallet via port 8545 was actively detected starting Dec 3, 2018. As per design, Ethereum wallets are expected to operate within the localhost using port 8545, but some wallets are configured to expose themselves to the public (the internet) instead. To add insult to injury, a default wallet has no password yet, until the user set a specific password for it.
With an Internet-exposed Ethereum wallet, unauthorized fund transfers can occur, causing the unsuspecting user to lose Ethereum coins without any notification. The only initial defense strategy against this is for the user to be mindful of their wallets, by setting a very strong password for it, preventing brute force attack against its encryption.
Since 2015, publicly accessible Ethereum wallets were already known to exist. But nobody has responded to the call of the Ethereum team to take necessary precautions, including the use of a strong password to lock down those Internet-facing Ethereum wallets. There are also Ethereum wallets that refuse to prompt its users for a new password upon creation, which further increases the possibility of account hijacking. Lost Ethereum though unauthorized fund transfers can no longer be recovered by the original owner, the subsequent transactions where the stolen funds are used can be tracked, as per Blockchain’s design.
Just like any other cryptocurrency operating in the world, Ethereum is easy to use and transfer. Paired with insecure crypto exchange services, it is a sure fire way to lose a lot of money for a short period. Scanning of 8545 is not only restricted to highly trained cybercriminals but for everyone that has enough time in their hands to perform the scanning. This is because scanning tools such as geth-hack, an open source software are available for everyone to download and use.
Cybercriminals have diversified with cryptocurrency-related cybercrimes for 2018 after a year of over-utilizing the use of their ransomware to raise profits. Threat actors love the silent operations of cryptocurrency thieving and mining using machines they never owned. Detection of their activities is the most concern for a cybercriminal, which makes their ransomware less profitable in the long run, as more companies will implement credible backup systems. The enterprise with a decent backup system can reverse the bad effects of ransomware without paying for ransom, hence more virus authors are developing cryptocurrency mining malware instead. Silent operations of this new malware type are very helpful for cybercriminals as it delays and even hides the existence of their creation from advanced users and system administrators. The longer they can hide and remain undetected, the bigger chance more cryptocurrency can be mined using the infected machines.