Chinese cyber-security company Qihoo 360 has identified a massive exploitation of vulnerability, leading to a loss of more than $20 million worth Ethers. The hackers have been targeting nodes which have insecurely enabled JSON-RPC, an interface on Geth – a client for running an Ethereum node.
By configuring JSON-PRC in an insecure manner, users have open a path to remotely access the Ethereum blockchain and send Ethers from any account, which has been unlocked earlier on to perform a transaction. Hackers have been using this vulnerability to steal 38,642 ETH, worth about $20.50 million.
Geth works similar to an internet browser such as Chrome, which provides access to the internet. Notably, the issue was highlighted by the Ethereum team three years ago.
At that time, the Ethereum team issued as advice to its users through a blog post:
“It’s come to our attention that some individuals have been bypassing the built-in security that has been placed on the JSON-RPC interface. The RPC interface allows you to send transactions from any account which has been unlocked prior to sending a transaction and will stay unlocked for the entirety of the session.
By default, RPC is disabled, and by enabling it it is only accessible from the same host on which your Ethereum client is running. By opening the RPC to be accessed by anyone on the internet and not including a firewall rules, you open up your wallet to theft by anybody who knows your address in combination with your IP.”
Earlier in March, Qihoo 360 Netlab issued an alert about a group of hackers who had stolen 3.96234 Ethers after scanning the internet for port 8545 to trace insecure Geth clients running Ethereum nodes. Now, it has been found that the scale of theft is larger than previously estimated.
Someone tries to make quick money by scanning port 8545, looking for geth clients and stealing their cryptocurrency, good thing geth by default only listens on local 8545 port. So far it has only got 3.96234 Ether on its account, but hey it is free money! pic.twitter.com/YVSWlMtYGa
— 360 Netlab (@360Netlab) March 15, 2018
The group of cyber criminals was specifically looking for users who had left their JSON-RPC port 8545 open for access to anyone on the internet. It was also found that hackers have waged multiple attacks on the insecure nodes. The problem highlights the need for a thorough understanding of security protocols which should be followed by users operating nodes on a blockchain network.