TNC Exploiting Cryptocurrency Miners with OSINT Techniques

Collection of intelligence is one of the key elements to organize more sophisticated methods of attacks. Open Source Intelligence (OSINT) is a technique used by attackers for reconnaissance purposes to gather information about specific targets. The accessibility to critical information about emerging systems through OSINT leads exposure of vulnerabilities and exploitation of these vulnerabilities to form widespread attack. Blockchain is one of the emerging technologies that exposed the use of crypto currencies such as Bitcoin and Ethereum. This research paper explains the use of OSINT to gather critical information about cryptocurrency miners such as Bitcoin Antminer and Ethereum Claymore and expose the vulnerabilities to exploit the configuration file of the miner manager. The research outcomes expose the vulnerability of the existing crypto currencies and use of OSINT for detection and analysis of cyber-threat in crypto currency market.


Introduction
Blockchain is a form of distributed ledger to exchange information and transact digital asset in distributed networks [1]. Countries have developed different applications of this distributed ledger technology to enhance governmental services provided to public. The governments adopt this technology to change the way to manage and control the information of citizens in public and private services. One of the most recent application raised from Estonia, which provided e-ID to e-Residents through the application of Blockchain technology and wide range of both governmental and private sector services becomes available for remote access [2]. Apart from these applications, blockchain technology has been applied to many fields from the initial cryptocurrency to the current smart contracts, health sector, governmental and public services [3]. Bitcoin was introduced as a cryptocurrency which is deployed based on blockchain technology by Satoshi Nakamoto in 2008 [4]. The Bitcoin ecosystem proposed by Nakamoto consists of network of users that communicate with each other using open source bitcoin protocol to exchange information via the Internet. Due to zero-transaction costs, lack of tracing and possible anonymity, use of bitcoin becomes quite attractive. The decentralization of blockchain technology leads bitcoin to become more powerful in last few years. The bitcoin becomes the most popular decentralized cryptocurrency in January 2017 since 16 million bitcoins in circulation with a total value of roughly 16 billion US dollars. The "Bitcoin mining" is a process of handling transactions in a process of blockchain network and it seems quite profitable job because of variety of advantages, possible demand and market price of bitcoin. Companies developed cryptocurrency miners to satisfy this demand in the market. However there is still a huge research gap exist on blockchain technology and cryptocurrency market due to security vulnerabilities. Due to this gap, attackers take an advantage of Open Source Intelligence (OSINT) technology to gather information about vulnerability of miners, users and exchanges and variety of attacks launched to this newly emerged technology. The next section of this research elaborates the latest security exposures of cryptocurrency market; section 3 elaborates the use of OSINT technology to expose the security vulnerabilities of existing cryptocurrency miners such as Bitcoin-Antminer and Ethereum-Claymore and to exploit the configuration file of the miner manager.

Literature Review
The blockchain technology becomes one of the most popular technologies deployed in different sectors as applications by variety of developed companies and organizations. The main theme behind this popularity is the security since this distributed ledger technology store multiple redundant and identical copies of the same ledger worldwide and if one of the account is breached, there are many others exists as backups that can provide breached data or funds in the hacked account [5]. The alteration or modification of data prevented with strict cryptographic methodologies and this attracts the deployment of blockchain technology in different sectors. One of the latest blockchain based system deployed by MIT as a new digital diploma system. Since the blockchain is a kind of distributed ledger technology, MIT developed blockchain based digital diploma system that allows employers and schools to verify a graduate's degree is legitimate by using a link or uploading the student's file [6].
As it is stated before, companies relay their data security and reliability on blockchain technologies. The cryptocurrency mining is important source of income for developers of cryptocurrency miners as well as owners and third parties who participate with their individual systems in blockchain market.
The Trendmicro company's research indicated that, there are more than 700 cryptocurrencies exist functioning based on blockchain technology in the market. Due to the popularity of bitcoin mining, attackers focused on developing new attack vectors targeting bitcoin miners and bitcoin associated transactions. Even though the cryptography-oriented blockchain technology seems secure, variety of other vulnerable technologies combined to conduct transactions in blockchain and human factor leads exposure of vulnerabilities [7].
The Internet of Things (IoT) technology becoming a goldmine for malicious actors due to existing major security challenges, lack of forensic regulation and privacy [8]. Due to lack of secure architecture deployed in IoT environment, participants of IoT network can be targeted through different methodologies. McAfee company estimated that more than 2.5 million devices infected by the Mirai botnet in 2016 in order to use their computing power to mine bitcoins [9]. The attackers proposed new bitcoin miner slave called "ELF Linux/Mirai malware" variant which controls the Mirai bots while they are idle and awaiting further instructions and provide them to be leveraged to go into mining mode.
Attacks did not target the user but the computers/nodes itself since the computational power and cost of power consumption is two important factors for bitcoin mining. Attackers targeted cryptocurrency mining and developed different type of cryptocurrency-mining malware to impair system performance, hijacking, risk end-user and business to information theft. The vast of attacks targeted IoT devices such as industrial control systems, cars, Healthcare sector, consumer electronics, digital video recorders (DVRs)/surveillance cameras, set-top boxes, network-attached storage (NAS) devices, and especially routers. Researchers have focused on importance of different forensic applications to retrieve data from IoT devices in case of a cyber-event since the control and investigation of IoT devices becomes and substantial issue [10].
South Korea Internet and Security Agency announced that the "Bithumb" which is one of the world's biggest bitcoin exchanges hacked and approximately 1 billion of won (worth 870,000 USD) has been stolen. The attack details of the attack exposed that the employee of the Bithumb PC was hacked because of the personal information such as mobile phone and email address of some users were collected through OSINT techniques [11]. Another biggest security breach of an exchange occurred in Hong-Kong based "Bitfinex" where 119,756 bitcoin (worth around 718,536,000 USD) stolen. This attack caused a 20% drop in the value of the currency [12][13]. In 2014, one of the popular bitcoin exchanged called "Mt.Gox" announced that hackers stole 850,000 bitcoins of which 750,000 belonged to customers. Researchers have investigated this attack and exposed a transaction malleability bug was explicitly named as the root cause of the loss [14].
Transactions in blockchain can be processed through digital wallets produced by parities. These Digital wallets apply a security mechanism called "multisignature" which is an approval mechanism for an exchange of a digital currency. The multisignature requires another user to sign a transaction before it is added in to the blockchain. Attackers targeted Ethereum cryptocurrency and stole 153,000 ether tokens (worth 32.6 million USD) by exploiting vulnerability in the multisignature wallet's [15].
Since all these attacks occurred due to lack of network or an appropriate configuration, in order to secure the communication environment, researchers focused on developing variety of network based technologies and focused on variety of aspects to resolve security oriented issues [22][23][24][25][26][27][28][29][30]. The proposed mechanisms and models offered variety of solution for different types of communication infrastructures and protection against different types of vulnerabilities from different aspects such as link encryption, end-to-end or message encryption perspective [31][32][33][34][35][36][37][38][39][40][41].

Bitcoin Miners and use of OSINT
As it is mentioned in previous sections, cryptocurrency miners become quite popular because of increasing demand and price of cryptocurrencies such as Bitcoin and Ethereum. Bitcoin or cryptocurrency mining is a process of synchronizing transactions in a network of computers where miners receive a profit as a function of the cost of mining which is increasing over time in terms of cryptocurrency.
Once a participant of blockchain wishes to conduct a transaction, the proposed transaction generated based on specific consensus (Proof of Work, Proof of Stake etc.) and distributed to the network of nodes for validation. The verified transaction is combined with other transactions to create a new block of data for the ledger.
Transactions recorded in each block in blockchain technology and these blocks are identified by hash codes. A block must be validated to be added into the blockchain and the validation is done by the participating users which are called "miners" [16]. The Figure 1 below illustrates the typical blockchain work flow. OSINT is one of the important technologies used for intelligence purposes where intelligence derived from publicly available information sources. These sources are explained as global media, web blogs, academic papers, Wikipedia, YouTube, social media (Twitter, Facebook, Instagram), government reports, satellite pictures and all other information available to the public on the Internet [17].The main source of information of OSINT is the Internet with estimates that data volume on the Internet will grow from 4.4 zettabytes (ZB) in 2013 to 44ZB by 2020 [18]. The Internet acts as an intermediary for accessing the information sources, where growth of this volumetric data requires specific discovery, search and retrieval techniques to analyze this data accurately.
The vast amount of data and information available on the Internet allows attackers to gather information and understand working principles, architecture, functionalities and communication infrastructure thus expose the vulnerabilities of the systems. Today's Internet technology combined with OSINT provides criminals to organize more sophisticated methods of attacks.
In this research paper, one of the most preferred bitcoin miners "Antminer S9" is selected for test-bed purposes [17]. The features of this miner illustrated below.
The miner's hardware use "Lighttpd/1.4.32" version web server and there are SSH ports available for remote communication between this server. There is an exploit available for "Lighthttpd 1.4.31" version however it does not provide remote access to server since the exploit is patched in the newer version. The Figure 2 below illustrates the Antminer S9 configuration page that is accessed through web browser by using username and password.

Figure 2. AntMiner Configuration Page
As it is shown on Figure 2 above, the AntMiner configuration page uses "Digest Authentication". The Digest authentication is one of the authentication methods known as "agreed-upon" method. In this method, web-server negotiates user credentials (username and password) with user's web browser. This authentication method is one of the applications of MD5 cryptographic hashing with usage of nonce values to prevent replay attacks.
It's known that we need some information or keywords to collect data with OSINT techniques. In this research, the keywords selected as "antMiner Configuration" in HTTP headers which appears each time we send a request to the server. The search with corresponding queries with specific keywords and special dorks in censys.io and shodan.io resulted specific IP addresses of AntMiners shown in Figure 3 below.

. Results of dork used in OSINT Search Engine for Bitcoin-AntMiner
The corresponding systems can be accessed through a brute-force attack on the HTTP port or SSH port. In order to exploit this vulnerability, the default username and password of the systems should be exposed. After a simple search from the Google search engine, the default username and password exposed.  The product homepage contains detailed information about product including default username and password of the AntMiner, which is the most popular cryptocurrency miner. Figure 4 above illustrates the details.
As it is mentioned before, the Antminer uses Lighttpd/1.4.32" version web server and provide remote access through web browser based on username and password credentials. Since the OSINT tool helped us to expose existing miners IP addresses with specific dorks, it is easy to brute-force the corresponding miners credentials and gain access.
The Hydra Brute Force tool used to generate brute-force attack to the corresponding address. The Burp Suite Intruder tool can also be used for this type of attack. The command used to generate this attack is; hydra -l root -P commonPasswords.txt -vV {TARGET} http-get / The confirmation page will be accessible if one of the password in the dictionary matches with the user credentials. The Figure 5 illustrates the results below.

Figure 5. AntMiner Credentials after Successful Brute-Force
The Figure 5 above illustrates the AntMiner configuration page which allows attacker to modify or change the configuration of the miner.
Ethereum-Claymore miner is another type of miner proposed for Ethereum mining [20]. The new dork using OSINT techniques proposed to expose the list of available miners. The result of the query illustrated in Figure 6 below. The search query and dork used to gather information is; ETH "ETH -Total Speed" As it can be seen from the Figure 6 above, there are many cryptocurrency miners available on the Internet which IP addresses of these miners are exposed to public through OSINT technology with the help of specific queries and dorks. The Claymore Remote Manager API allows you to manage the miner server remotely once the IP address is known. The remote JSON packages can be transferred to modify the configuration file of the miner.  Figure 7. Claymore Remote Manager API The Figure 7 above illustrates the Claymore remote manager API configuration file that control GPUs (disable, dual mode etc.) or edit the config.txt to change the pool wallet address with sending some specific commands. In order to test the attack whether it is successful or not, we will send "miner_restart" or "control_gpu" command to detect whether the configuration file is read-only or write/read. We have used open source application "Netcat" to send JSON command on MacOS [21]. The Figure 8 below illustrates the result of "miner_getstat1" command which shows the statistics of the miner server. As it is mentioned before, "control_gpu" command is send in order to detect whether the configuration file is read-only or read/write. The results of the command illustrated in Figure 9 below. As it is shown in Figure 9 above, the miner server is in Read-Only mode. This indicates the commands pushed to the server can be processed but it cannot be modify the GPU speed or processing power.
The command "miner_restart" is tried on the Claymore Remote Manager API and it successfully worked as shown in Figure 10 below. The system accepts the command and restarts. The Claymore Remote Manager also allows users to edit the configuration file with using JSON format (sending remote JSON files). However, this process can also be done with using Claymore's Ethereum Dual Miner Manager on Windows that can also change the pool wallet address which is one of the most critical vulnerability for the miners. The Figure 11 below illustrates this vulnerability.

Figure 11. Claymore Ethereum Dual Miner Manager Configuration File
The corresponding configuration file will be edited if a permission granted by the user. Since there is vulnerability exist on the system that allows miners to connect through vulnerable web-based communication protocols, it will be easy for attacker to exploit this vulnerability and grant read/write access in the system. As it is shown above, it is quite easy for an attacker to modify the pool's Ethereum wallet address.

Conclusion
The vast amount of information available through Internet and use of OSINT allows attackers to generate different and more sophisticated attacks. Researchers focusing on large scale of attacks and conduct research on more sophisticated methodologies while considerable amount of attacks arising from simple vulnerabilities. The cryptocurrency mining is quite new and demanding market for individuals and businesses. However securing the miners and transactions should be taken into account and must have first priority for those companies that produce miners. The widespread use of miners without focusing on security policies and vulnerabilities likewise IoT devices may lead to an exposure of serious threats in the future considering the energy consumption and processing power of the miners. Apart from all these, the use of these technologies contains potential to replace conventional transaction exchange mechanisms, which means it will widespread to different markets including health, government and financial sectors. This research outlined the possible vulnerability exposure of the existing cryptocurrency miners that can be hacked through use of OSINT technology. The methodology and instructions used here was educational purposes. The further research required to improve search techniques with OSINT for gathering massive and detailed information about miners for different vulnerabilities. In addition to this, exploitation of miners for GPU control and modification of pool's Ethereum wallet address through OSINT is another critical contribution which may lead to hazardous results in case of deployment of vast number miners.

ACKNOWLEDGMENTS
We would like to sincerely thank to all reviewers and appreciate all supports provided from the journal office in managing paper submission and editing papers towards the success of this special issue.