Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency
Almost 1,300 addresses for Amazon Route 53 rerouted for two hours.
Attackers on Tuesday pulled off a complex attack using kinks in core internet infrastructure that caused users of an Ethereum wallet developer’s website to be redirected to a phishing site.
Users of MyEtherWallet.com lost around $150,000 to the attackers after failing to take heed of an HTTPS browser warning that the site they’d been directed to was using a self-signed digital certificate.
MyEtherWallet.com developers said in a statement on Reddit that a number of Domain Name System (DNS) servers were hijacked at 12pm UTC to point users to a phishing site hosted on a Russian IP address. The redirects occurred for about two hours.
Anyone who logged into their account would have had their credentials compromised. Also, browsers already signed in would have transmitted login information via browser cookies. Both outcomes give the attackers a chance to log in to the real site and steal Ethereum.
During the attack, eNet Inc, an Ohio-based IP service provider, was wrongly announcing parts of AWS’s IP space to its peers and forwarded them to internet backbone provider Hurricane Electric, which in turn affected Cloudflare’s DNS directory resolver.
“During the two hours leak, the servers on the IP range only responded to queries for MyEtherWallet.com,” explained Cloudflare engineer Louis Poinsignon.
“Any DNS resolver that was asked for names handled by Route53 would ask the authoritative servers that had been taken over via the BGP leak. This poisoned DNS resolvers whose routers had accepted the route.”
Because of this state of affairs, anyone using a poisoned DNS resolver, including CloudFlare’s own one, would have been returned IP addresses owned by a Russian provider rather than Amazon’s IP address.
Cloudflare’s DNS resolver 188.8.131.52 was affected in Chicago, Sydney, Melbourne, Perth, Brisbane, Cebu, Bangkok, Auckland, Muscat, Djibouti, and Manilla, with the rest of the world working normally.
Amazon has issued a statement that an upstream ISP was compromised, not AWS or Amazon Route 53 itself.
“Neither AWS nor Amazon Route 53 were hacked or compromised. An upstream internet service provider was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered,” Amazon said.
“These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain.”
Security expert Kevin Beaumont noted that the attackers were well-resourced, controlling a wallet that currently has nearly $16m in Ethereum. The incident also highlighted well-known weaknesses in core internet infrastructure.
“Mounting an attack of this scale requires access to BGP routers at major ISPs and real computing resource to deal with so much DNS traffic. It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access,” he wrote.
“The security vulnerabilities in BGP and DNS are well known, and have been attacked before. This is the largest scale attack I have seen which combines both, and it underscores the fragility of internet security. It also highlights how almost nobody noticed until the attack stopped. There is a blind spot.”
Originally published on ZDNet
Hackers made off with about $152,000 worth of Ether on Tuesday in an attack that exploited weaknesses in the internet’s infrastructure to steal users’ cryptowallet keys.
The hackers did so by exploiting a weakness in DNS servers serving MyEtherWallet, a cryptocurrency exchange. DNS is a service that connects domain names like myetherwallet.com to whatever IP address it’s hosted on.
“This is not due to a lack of security on the [MyEtherWallet] platform. It is due to hackers finding vulnerabilities in public facing DNS servers,” the company wrote in a Reddit post.
Hackers hijacked the DNS servers around noon UTC, the company said, and redirected user traffic to a replica of myetherwallet.com hosted on a Russian server. The actual exploit was through the Border Gateway Protocol (BGP), explains security researcher Kevin Beaumont. BGP is the system that actually directs traffic to a website.
MyEtherWallet noted in the Reddit post that, because users were rerouted to a phishing website, they likely clicked through a pop-up message warning them that the site they were visiting did not have a proper SSL certificate.
It’s not clear yet the root cause of the attack, but the hackers appear to have rerouted IP addresses operated by Amazon Web Services’ DNS service, known as Route 53.
DNS provider Cloudflare explained in a blog post about the incident that a BGP leak happens when a range of IP addresses is “announced” by an outside party, which could be a configuration mistake or done with malicious intent.
In Tuesday’s incident, a range of IP addresses belonging to AWS appears to have been rerouted via internet service provider eNet. It’s not clear how the fraudulent routes came to be announced by eNet.
“Neither AWS nor Amazon Route 53 were hacked or compromised,” an AWS spokesperson said in a statement. “An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain.”
The attackers reportedly redirected traffic for about two hours. In that time, they managed to steal 215 Ether, amounting to about $152,000 at the time. The hackers had millions of dollars worth of Ether in their cryptowallets before the attack started, according to Beaumont, suggesting that they were well-resourced for an operation of this scale.
Beaumont notes that having that access, along with the ability to manage the scale of DNS traffic, requires great computing power. That suggests that the Ether trading site may not have been the only target.
“It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access,” Beaumont writes.
This post has been updated with a statement from Amazon Web Services.
Originally published on https://www.cyberscoop.com/