Nearly 3,000 Bitcoin Miners Were Exposed to a Remote Telnet Attack

Bitcoin miners are always targets for criminals and other assailants. Around 3,000 Bitcoin miners were recently exposed to a potential Telnet-based attack. All of these miners seemingly use the same mining pool to generate Bitcoin and they may very well belong to the same organization. It is unclear who owns the devices exactly, but they seemingly all use a Chinese IP address. Thankfully, the miners were taken offline shortly afterward to resolve this issue.

Telnet Attacks can Disrupt Bitcoin Mining

It is quite disconcerting to learn how a Telnet-based attack could have caused major problems for nearly 3,0000 Bitcoin miners. 2,893 Bitcoin miners were exposed to open Telnet ports which required no credentials to connect to remotely. It is unclear who owns the devices in question, although it appears a Chinese miner or mining firm is the most likely owner. A security researcher discovered that all of the affected machines have a Chinese IP address. 

Thankfully, the person or group running these nearly 3,00 miners took the necessary steps to take the machines offline. If a person were to have accessed these Bitcoin mining machines remotely, it is unclear how much damage they could have done. It is not unlikely an assailant could have severely disrupted the mining operation in question. With Telnet access removed from these devices, the exploit has been addressed even though it does highlight a major attack vector.

The swift course of action by the owner of these machines indicates they are making a lot of money from their mining efforts. It is certainly possible all of these miners are pointed to the Litecoin network, considering how the machines appear to refer to “Thunder” hardware. That would identify the hardware as ZeusMiner’s Thunder X3 miners, which are used to generate Litecoin income over time. The firmware located on the identified devices seems to confirm as much. These machines combined can generate around US$1 million in income every single day.

Someone tried to take advantage of this Telnet access prior to the researcher’s discovery. The researcher noted how there were attempts to install a backdoor or different type of malware on these machines, although it is doubtful they were successful in this regard. Then again, some remnants were discovered on the machines, indicating the Telnet connectivity had been left unchecked for quite some time. Telnet access has been a favorite tool among cybercriminals lately.

Taking advantage of exposed devices like these can have dire consequences. First and foremost, the mining operator could lose a significant amount of income if an assailant were to successfully control these devices.  Secondly, it goes to show this could very well be part of a larger IoT-based attack to cause DDoS attacks or other types of nefarious activity. The same researcher recently secured thousands of IoT devices which used standard Telnet credentials.

Bitcoin mining hardware can be a powerful tool when it is controlled by the wrong individuals. Every ASIC miner is quite powerful in its own right, and if an assailant controls thousands of these devices, they have a lot of computing power at their disposal. While the ulterior motives remain subject to speculation, for the time being, it is good to see the operator successfully protecting these machines from further harm.