$83k in bitcoins 'stolen' through BGP hijack

Posted by   Virus Bulletin on   Aug 8, 2014

Short-lived network changes used to make miners connect to rogue pool.

Researchers at Dell SecureWorks have discovered an operation that used BGP hijacking to force bitcoin miners to connect to mining pools under the attackers' control, thus gaining them a lot of extra mining power and, ultimately, about $83,000 in bitcoins.

New bitcoins are constantly being created through a process called 'mining': performing resource-intensive and difficult calculations to create a 'block' with a hash value satisfying certain properties. Roughly every ten minutes, a new block worth 25 bitcoins (around $15k) is thus added to the 'block chain'. To make the payout from mining activity less of a lottery, miners usually cooperate in 'mining pools' to share both processing power and rewards.

In a mining pool, clients connect to the pool to receive instructions and share results. A commonly used protocol is the JSON-based Stratum mining protocol. Crucially, in this protocol the mining pool does not authenticate to the clients.

In the incident discovered by the Dell researchers, a rough entity working for a Canadian ISP, or having access to its networks, was able to abuse BGP to announce malicious routes, thus hijacking traffic destined for hosting companies such as Amazon, Digital Ocean and OVH.

None of these attacks lasted very long, but they were enough for the attackers to pretend to be the mining pool and tell the mining client to connect to a second server under their control. Lack of authentication in the Stratum protocol meant this happened seamlessly, and some miners didn't discover anything was amiss until weeks later.

Although the attacks stopped once the upstream provider of the Canadian ISP was notified, it is unclear whether the attack was performed by a rogue (ex-)employee or by an entity having obtained access to the ISP's network.

BGP hijacking isn't new, and in the recent past has, for instance, led to the routing of US Internet traffic through Belarus and Iceland. The study of the BGP graph can help detect and prevent malicious activity, as OpenDNS researcher Dhia Mahjoub will show in the paper "Sweeping the IP space: the hunt for evil on the Internet" that he will present at VB2014.

Cybercriminals' interest in bitcoins isn't new either. In another VB2014 paper, "Well, that escalated quickly. From penny-stealing malware to multi-million-dollar heists, a quick overview of the bitcoin bonanza in the digital era", Kaspersky's Santiago Pontiroli will take a look at malicious activity aroud bitcoins and other cryptocurrencies.

You can now register for VB2014, which will take place 24-26 September in Seattle, WA, USA. Or, if you have some interesting last-minute research to contribute, why not submit an abstract for one of the seven remaining slots.

Posted on 08 August 2014 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2018 paper: Internet balkanization: why are we raising borders online?

At VB2018 in Montreal, Ixia researcher Stefan Tanase presented a thought-provoking paper on the current state of the Internet and the worrying tendency towards raising borders and restricting the flow of information. Today we publish both his paper…

The malspam security products miss: banking and email phishing, Emotet and Bushaloader

The set-up of the VBSpam test lab gives us a unique insight into the kinds of emails that are more likely to bypass email filters. This week we look at the malspam that was missed: banking and email phishing, Emotet and Bushaloader.

VB2018 paper: Where have all the good hires gone?

The cybersecurity skills gap has been described as one of the biggest challenges facing IT leaders today. At VB2018 in Montreal, ESET's Lysa Myers outlined some of the things the industry can do to help address the problem. Today we publish Lysa's…

Preview: Nullcon 2019

We look forward the Nullcon 2019 conference in Goa, India, at which VB Editor Martijn Grooten will give a talk on the state of malware.

From Amazon to Emotet: a look at those phishing and malware emails that bypassed email security products

We see a lot of spam in the VBSpam test lab, and we also see how well such emails are being blocked by email security products. Recently some of the emails that bypassed security products included a broken Amazon phishing campaign, a large fake UPS…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.