Hello, welcome to the Friday, May 18th, 2018 edition of the Santernut StormSenter's Stormcast.

My name is Johannes Ulrich and the I'm recording from Jacksonville, Florida.

Got an interesting case we have been working on for the last few days about scans for port 3,333.

This port is heavily used by miners and has also been used as a remote admin interface

for the Claymore miner. Claymore added an unauthenticated JSON RPC API that essentially

allows remote code execution.

Now while this wasn't the intent of the API, the exploitation is pretty straightforward

and has been known at least since February.

The problem is that not only the configuration file but also a reboot batch file can be overwritten using

this API and then just by rebooting the software you are then able to execute that file.

Now the most common command that I have seen being executed this way is just restarting Claymore

Miner, of course, with different parameters, gaining money to whoever launched the exploit.

Interestingly, they retain the admin interface on the same port, so these systems can easily

be exploited again and again.

If you are running Claymore Minor, there are a couple things that you can do.

First of all, you can just disable this particular remote admin API.

That's probably the safest course of action.

You can also make it listen on a different port or by giving it a negative port number. So let's say minus

5,000. Then it will listen on port 5,000, but it will disable some of the more dangerous

commands like overriding configuration files. Taking a quick look at some of the mining pools and

the earnings of the mining pool IDs that we have seen indicates that the hackers here made about a thousand dollars or so, but varies based on the attacker.

And well, for everybody here worrying about PCI, a new miner version of PCI was released version 321. Last version was 3.2, which

...