QueenAnt proof-of-concept exploits exposed interfaces and sends coins the wrong way
Australian security researcher Tim Noise says scores of popular Antmine Bitcoin mining devices could be commandeered.
Noise demonstrated how a vulnerability in the configuration of the open source mining program CGminer running on an Antminer box can be abused to redirect the efforts of massive mining operations to fill an attacker’s wallet.
A proof-of-concept of the attack app, dubbed QueenAnt, is yours to peruse on GitHub.
Beijing-based Antmine manufacturer Bitmain has been contacted for comment.
Noise says CGminer is typically configured to accept incoming connections on TCP port 4028 through an exposed remote procedure call (RPC) interface that collects statistics and configuration specifications from mining groups.
Antminers, many exposed to the internet, run the OpenWrt operating system that includes CGminer managed by an OpenWrt LuCi web interface.
The interface draws statistics from the vulnerable RPC interface which listens on 0.0.0.0 without a username or password configured.
Noise says offline Antminers that are part of farms are not affected as are those which have changed passwords and fixed the RPC interface.
“Free hashes, free cashes,” Noise told Vulture South of his work.
Users had already been attacked through the vector prior to Noise publishing his proof of concept tool.
Noise says users can workaround the default flaws by updating /config/cgminer.conf and /etc/init.d/cgminer.sh to fix the RPC interface, SSH in and change the system password.
“If they (antminers) are on the internet, they shouldn’t be, or at least firewalled appropriately,” Noise says.
The Antminer firmware contains further flaws; it runs CGminer as root, allows the RPC to write files, fails to update system passwords when admin credentials are updated over the LuCi web interface, and exposes root over ssh with a password of ‘admin’.
Noise tested his proof-of-concept on an Antminer S5 with all available firmware releases and will now test his work on a more recent S7 model. ®
Sponsored: Global DDoS threat landscape report