Bleeping Computer is reporting that the Satori botnet has been retasked to locate unpatched Claymore cryptominer rigs.
Apparently unpatched rigs have a publicly exposed RPC port. The Satori botnet is currently searching for this port, then taking advantage of it by sending it a command that tells the rig "When I reboot, execute these commands.". then sending another RPC call to reboot. The commands sent change the rigs config to mine a pool under the control of the hackers.
This is actually a very smart attack vector. Generally speaking, many cryptominers who have enough money to buy these sort of rigs will use them until they have enough of a profit to afford the latest and greatest with a higher hash rate, then basically leave these on the rack to rot or until the data center unplugs them. I've encountered a few of these over the years working data center ops. So, if you can reconfigure enough of these older rigs that may or may not be used anymore, you can draw a serious revenue stream, which then the Satori botnet masters can turn around and use for R&D into new attack vectors. My hat's off to them, very smart.
https://www.bleepingcomputer.com/news/security/the-satori-botnet-is-mass-scanning-for-exposed-ethereum-mining-rigs/