A backdoor vulnerability called Antbleed, which enables the remote shutdown of bitcoin miners, was recently discovered...
in bitcoin mining equipment. How does it work? Could something like this happen on enterprise networks? How can you scan for this type of thing?
The popular bitcoin mining provider Bitmain Technologies recently came under fire for a supposed backdoor into the firmware of its popular cryptocurrency generating miner hardware. The vulnerability was aptly named Antbleed, after a combination of the Antminer models and other vulnerabilities, such as Heartbleed, which enable the leakage of data.
It's estimated that Bitmain has around 70% of the market when it comes to bitcoin mining, and with this vulnerability present in the firmware of the majority of their systems, there's concern among the bitcoin industry that Bitmain was looking to create device relationship management, or even to remotely monitor its customers.
Within the firmware of the Bitmain systems is a hardcoded domain that reaches out to auth.minerlink.com and checks in every couple minutes, with the longest timeframe being 11 minutes between callouts. When this callout occurs, it sends the MAC, IP address and even the serial number of the device to the site, and if it can't connect to the domain, the equipment stops mining. This is a privacy concern, since it enables personal information -- maybe even the location of the device based off of the IP address -- to a vendor that doesn't need this data.
The connection itself is an outbound connection, and it's difficult to stop without firewalling particular source addresses beforehand. Many privacy advocates were rightfully concerned with Bitmain potentially monitoring its clients.
Another security issue with this callout is its unauthenticated nature, which leaves the service completely open to domain name system hijacking or man-in-the-middle attacks. If this attack were to occur, or even a distributed denial-of-service attack on the hardcoded site, it could stop the functionality of mining operations for close to 70% of bitcoin miners.
In order to stop this from occurring, but to still have the functionality to continue mining, miners have gone through the effort to create custom entries in their localhost files to point 127.0.0.1 to auth.minerlink.com. This gives the system local domain resolution, but restricts it from sending information or shutting down the application.
After seeing the hysteria around Antbleed, Bitmain wrote a blog post explaining the reasoning for this system callout. It explained that this feature was going to be introduced as a way for customers to monitor equipment, which many times is hosted outside of their premise, and to shutdown miners that might have been stolen or hijacked. It gives multiple examples of Antminers being withheld from owners or being hijacked.
According to Bitmain's blog post, the feature was intended to give owners the capability to shut down systems over which they've lost control. It was, however, never fully developed, and was left within the code, which was open source and found by a researcher. It took steps to remediate all the firmware of the affected products and to update all the affected firmware that removes the feature.
Firmware hacks are nothing new, and both Cisco and Juniper have had malicious firmware exploits on their equipment. It's still up for debate, but the Antbleed issue doesn't seem to be malicious, just poor hygiene. Protecting against these attacks is incredibly difficult, and bringing in a behavior-based understanding of your network and callouts with proper segmentation and firewalling are the only options for preventing data theft.
Even with this in place, detection can be incredibly difficult to pinpoint. Following proper security hygiene across the board can go a long way in protecting against these types of threats.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Read about employee use of corporate resources to mine bitcoins
Learn about the search for the real creator of bitcoin
Check out the cybersecurity questions raised by the use of bitcoin and blockchain
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Matthew Pascucci
Understanding the differences between sandboxes vs. containers for security can help companies determine which best suits their particular use cases. Continue Reading
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ... Continue Reading
What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. Continue Reading