(Many thanks to Jon Hart and Bob Rudis for their contributions to this post.)

Port 8545 appeared on our radar as one of the top 20 most talkative ports of June 2018. Intrigued by its popularity, we began to examine data related to connections to port 8545, and consequently uncovered an Ocean’s 8-scale heist.

Data from our Heisenberg honeypot network shows that activity on port 8545 has remained at a steady level since May 2018. Interestingly, in late February there was a tremendous upsurge in activity, peaking at an average of 150 connections per honeypot per day. At the end of April, the number of connections abruptly decreased and has since plateaued.

Historically, there was little activity on port 8545 until October 2017. The average number of connections to the port tripled, surging from an average of 10 to 30 connections registered per sensor. The most interesting activity on port 8545 occurred in February 2018. Activity dropped to virtually zero connections in early February, eventually rising to the peak number of connections mentioned earlier.

Why are people interested in scanning port 8545?

Port 8545 is the default listening port for the Remote Procedure Call (RPC) interface of Ethereum clients, including Geth. All Ethereum clients have a built in RPC interface which can provide third-party access via an API, thus possibly exposing sensitive information and operations. By default, most Ethereum clients deactivate RPC, but users interested in enabling remote Ethereum blockchain access can activate the JSON-RPC interface. While authentication and Access Control Lists (ACLs) are supported, the interface can expose users’ miner information and wallet details if connected to the internet. The current activity on port 8545 is likely to be malicious actors scanning the port for unprotected JSON-RPC interfaces in an effort to capture Ether.

This recent uptick in activity is not the first time that an Ethereum-related RPC vulnerability was exploited. On September 6th, 2017, hackers acquired over 21,000 Ether from Geth users, a haul then valued at approximately 6.7 million USD. Interestingly, we did not see a huge uptick in activity on port 8545 on the day of the attack, nor in the days prefacing or following the event. As of now, the group sits on a hoard of 38,649 Ether, worth over 20 million USD in today’s valuation. Amazingly, news of this specific heist was first published in June of 2018, about 9 months after the event. Although the Ether collected by this mysterious, Ocean-esque gang still languishes in a Geth wallet, we could continue to see their influence–fiscal or otherwise–in the months to come.

This past March, the Chinese security agency Qihoo 360 reported a separate theft of Ether funds via the aforementioned misconfiguration. The activity on port 8545 here in 2018 is likely due to inspired copycat criminals, many of whom are taking advantage of the increased availability of automated scanning programs, some specifically designed for Ethereum.

In response to this uptick in scanning activity for the Ethereum JSON-RPC interfaces, Rapid7 Labs launched a Sonar study to understand the current global exposure. A recent Sonar study conducted on June 17, 2018 identified over 3000 Ethereum JSON-RPC clients exposed on the public IPv4 internet, with 77% of the clients appearing to be Geth with a strong showing from Ganache CLI and Parity.

How can I secure my Ether wallet and protect my information?

The first, most obvious step you can take to protect your Ether wallet is to disable the JSON-RPC interface. If you are considering investing in Ether and have not yet opened an account, do not modify your client’s default settings regarding RPC configuration. However, activating the JSON-RPC interface alone will not expose your node. By default, Ethereum clients are configured so that only local connections are accepted. Geth, specifically, only accepts connections on 127.0.0.1. Some users change this setting to 0.0.0.0 so that they can remotely connect to an Ethereum node, but this action exposes the node to the entire internet. Bots identify wallets configured as above and systematically bombard vulnerable accounts with eth_sendTransaction calls. The moment the account is unlocked, a bot can transfer funds to a target address.

Ether thieves take advantage of this fundamental misconfiguration in Ether wallets, but users can easily protect their funds by simply not connecting their wallets to the internet.

In general, operating behind a firewall is one of the best ways to prevent the exposure of sensitive information. Additionally, it’s helpful to follow news sources that regularly post about applications you use. Security issues involving widely-used technologies will appear in the news, but cryptocurrency client vulnerabilities are largely discussed on specialized, niche platforms. On Reddit, there is extensive conversation about the JSON-RPC interface vulnerability for Ethereum clients that dates back to 2016. Recent exploitation of this weakness demonstrates that many Ether investors were totally disconnected from relevant, security conversations. Communication with relevant communities is necessary to protect yourself from cyber threats.


TL;DR

Port 8545 was one of the top 20 most accessed ports in June 2018. Turns out, it’s the default listening port for Ethereum clients when the JSON-RPC service is enabled. Attackers have been scanning the port for unconfigured JSON-RPCs, then using the exposed interfaces to access sensitive miner information and wallet details. Most Ethereum clients (including Geth) disable RPC by default. Unfortunately, Ethereum clients that activate JSON-RPC and connect their wallets to the internet, essentially exposed their miner information and Ether wallets to anyone scanning port 8545.

Interested in more security research on blockchain?
Check out "Off the Chain! A Research Paper Observing Bitcoin Nodes on the Public Internet."

Read the free report

Sources

“Ethereum Account 0x957cD4Ff9b3894FC78b5134A8DC72b032fFbC464.” etherchain.org. https://www.etherchain.org/account/0x957cd4ff9b3894fc78b5134a8dc72b032ffbc464#history

“Experts warn hackers have already stolen over $20 million from Ethereum clients exposing interface on port 8545.” Pierluigi Paganini, June 10, 2018. https://csecybsec.com/cse-news/experts-warn-hackers-have-already-stolen-over-20-million-from-ethereum-clients-exposing-interface-on-port-8545/

“Hackers Scoop $20 Million in ETH From Exposed Ethereum Nodes.” Sam Town, June 13, 2018. https://cryptoslate.com/hackers-scoop-20-million-in-eth-from-exposed-ethereum-nodes/

“Hackers Stole Over $20 Million in Ethereum from Insecurely Configured Clients.” Wang Wei, June 10, 2018. https://thehackernews.com/2018/06/ethereum-geth-hacking.html

“$20 Million Ether Hacked From Poorly Configured Ethereum Apps.” Osato Avan-Nomayo, June 12, 2018. http://bitcoinist.com/hacked-cybercriminals-steal-20-million-in-ether-from-poorly-configured-app-clients/