Mass Attack on Ether Wallets Underway on Well Known Port 8545 Attack Vector

Colin Muller

A “mass-scan campaign” has been going on for the past week in an effort to find and exploit vulnerable Ethereum wallets, ZDNet have reported. The attempt uses an attack vector that has been known for years, and is the very same one that allowed $20 million worth of ether (at the time) to be stolen over the summer.

The exploit targets the Geth implementation of an Ethereum client node, which implements the node using the Go programming language. Attackers scan for open access through JSON-RPC, whose standard port is 8545. JSON is a common, open-source file format utilizable by the JavaScript programming language, and RPC is yet another protocol atop JSON.

An Easily Closed Ethereum Exploit Keeps Cropping Up

This vulnerability has been known about since 2015, and has not been patched because, according to the germane blog post, it “is not a bug, but a misuse of JSON-RPC.” The post at the time advised node operators to “Never enable JSON-RPC interface on an internet-accessible machine without a firewall policy in place to block the JSON-RPC port (default: 8545).”

Although the vulnerability is not difficult to close off, it seems that many users have not got the message - according to ZDNet, this same attack has periodically occurred on a regular basis over the past year or so.

gethHack.png(source: Troy Mursch, ZDNet)

There are no reports yet of how much this effort will reap in stolen ethers (ETH). Previous thefts have occured when the price of ETH was far higher - the smart contract tokens are now down over 90% from January all-time-highs, in terms of their USD value.

The timing of the attacks, therefore, seem to follow no pattern in particular. When this round of scanning got going on December 3, there was no notable news regarding Ethereum, and the USD trading price was not significantly different from today’s price of roughly $91.