Cyber Incident Victim: EOS
Date:
May 2018
Location:
China
Summary
An attacker scanned the internet for misconfigured EOS blockchain nodes exposing private keys through an unauthenticated API endpoint (/v1/wallet/list_keys on port 8888), leveraging a GitHub bug report detailing the vulnerability. The scans originated from a single IP address and targeted nodes with a wallet plugin enabled, primarily used for testing rather than production environments. This allowed potential unauthorized access to private keys, though the exposure was limited due to the non-standard nature of the plugin. The incident coincided with but was unrelated to a separate critical remote code execution flaw disclosed in the platform around the same time, which had already been patched by the EOS team.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 29, 2018, threat intelligence firm GreyNoise detected malicious scanning activity targeting misconfigured nodes on the EOS blockchain platform. The scans originated exclusively from IP address 185.169.231.209 and sought EOS nodes exposing an insecure API endpoint at /v1/wallet/list_keys through port 8888. This vulnerability stemmed from the wallet_plugin component of the EOS software, a testing tool not intended for production environments that inadvertently revealed account private keys when enabled without proper authentication. The attacker exploited a configuration flaw documented five days earlier in a GitHub bug report, which detailed how the API endpoint exposed cryptographic keys without access controls. Security researchers confirmed the scanning activity was unrelated to a separate remote code execution vulnerability disclosed the same day by Qihoo 360, despite temporal proximity. The EOS development team had already patched the RCE flaw before the scanning campaign began, though they later minimized its severity in Telegram communications.
The wallet_plugin misconfiguration primarily affected non-production nodes where administrators had activated testing tools without implementing required security measures. An EOS developer clarified in the GitHub discussion that the vulnerable endpoint wasn't part of the core API, limiting potential exposure to nodes where the optional plugin remained enabled on internet-facing interfaces. The attacker systematically probed for systems where administrators failed to disable this non-essential feature or follow API documentation safeguards. While the blockchain platform's market position as the fifth-largest cryptocurrency with a $4 billion initial coin offering heightened concern, actual risk remained confined to negligently configured nodes. The EOS team responded by reiterating documentation guidelines for key management and urging node operators to disable the wallet_plugin entirely. No evidence suggested successful private key compromises resulted from the scanning campaign, though the incident highlighted operational security gaps in blockchain infrastructure management unrelated to the platform's underlying cryptographic design.