Cryptocurrency Mining Operations Take Aim at SSH Servers

North Korea allegedly is now mounting cryptocurrency miner operations, attackers are going after vulnerable SSH servers, and the popular Electrum cryptocurrency wallet patches a critical vulnerability.


As the value of cryptocurrency continues to rise, so too is interest from attackers and security researchers alike.  

So far in 2018, multiple new attack vectors against cryptocurrencies have been disclosed, as well as at least one major vulnerability. While there are potentially great opportunities to be had with cryptocurrency, the security issues serve as a reminder that there are risks too.

A report released Jan. 8 alleges that among those now taking aim at cryptocurrency is the government of North Korea, which is conducting an unauthorized Monero cryptocurrency mining operation. Also, on Jan 3, a report from security firm F5 Networks revealed that attackers are using a new Python script to mine Monero on servers. And while unauthorized mining operations are taking aim at servers, Electrum digital wallets used to access cryptocurrency are also at risk and were patched on Jan. 7.

North Korea

Security firm AlienVault reported that it found an application that was attempting to mine the Monero cryptocurrency, with all proceeds being sent to Kim Il Sung University in North Korea.

AlienVault, however, is not certain that the government of North Korea is behind the new Monero mining campaign. Christopher Doman, security researcher at AlienVault, wrote in the report that it's possible the operation could just be a prank being conducted by hackers operating out of Morocco. That said, AlienVault noted that North Korea has been definitively linked to several other cryptocurrency mining campaigns, including one conducted by a group known as Andariel, which mined Monero from a compromised South Korea company.

"Cryptocurrencies could provide a financial lifeline to a country hit hard by sanctions," Doman wrote. "Therefore it’s not surprising that universities in North Korea have shown a clear interest in cryptocurrencies." 

SSH Attacks

There are several ways attackers are attempting to get vulnerable hosts to mine cryptocurrency. While mining via the web browser-based Coinhive script is popular, security firm F5 Networks discovered a campaign in which attackers went after vulnerable SSH (Secure SHell) logins to install mining software. SSH is widely used on servers to enable remote administration and access. 

Maxim Zavodchik, head of the security research team at F5, told eWEEK that attackers appear to be using a brute-force attack to gain access to the SSH servers. A brute-force attack is one in which the attacker repeatedly tries different username and password combinations in an attempt to correctly guess a usable combination.

Zavodchik noted that some of the attacks have also been able to make use of the CVE-2017-12149 vulnerability in the JBoss middleware server to spread across a network. According to F5, as of late December 2017, the SSH attackers have earned approximately $46,000 mining Monero.

Zavodchik recommends that organizations use an SSH key pair instead of password to protect against brute-force attacks. In addition, he recommends that organizations blacklist IPs after multiple failed logins. 


Once a cryptocurrency has been acquired, users need some form of digital wallet for secure access. Among the most popular is the open-source Electrum wallet, which issued its 3.0.5 update on Jan. 7 that patches for a critical vulnerability that could enable an attacker to steal a user's cryptocurrency.

The flaw in Electrum is that the JavaScript Object Notation (JSON) Remote Procedure Call (RPC) interface was not password-protected. JSON-RPC is used for remote communication into a wallet. The security vulnerability was first reported in November 2017, but was initially dismissed by Electrum developers. On Jan. 5, Google Project Zero security research Tavis Ormandy also noted the issue, insisting that it's a critical flaw.

"I installed Electrum to look, and I'm confused why this isn't being treated as a critical and urgent vulnerability?" Ormandy wrote in a GitHub comment. "The JSON RPC server is enabled by default, it does use a random port but a website can simply scan for the right port in seconds."

Cryptocurrency represents both an opportunity and a new set of risks for enterprises and end users. As with every other piece of modern digital technology, cryptocurrency technologies have flaws and need to be regularly patched, as was the case with Electrum.

From an attacker perspective, cryptocurrency mining represents a way to make money, which means attackers will keep trying different approaches to maximize potential returns. If the first several weeks of 2018 are any indication, there will be a lot of security-related activity in the cryptocurrency space this year.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.