Suspicious Event Hijacks Amazon Traffic For 2 hours, Steals Cryptocurrency

Amazon lost control of some of its widely used cloud services for two hours on Tuesday morning when hackers exploited a known Internet-protocol weakness that allowed them to redirect traffic to rogue destinations, according to media reports. ArsTechnica: The attackers appeared to use one server masquerading as cryptocurrency website MyEtherWallet.com to steal digital coins from unwitting end users. They may have targeted other customers of Amazon's Route 53 service as well. The incident, which started around 6am California time, hijacked roughly 1,300 IP addresses, Oracle-owned Internet Intelligence said on Twitter. The malicious redirection was caused by fraudulent routes that were announced by Columbus, Ohio-based eNet, a large Internet service provider that is referred to as autonomous system 10297. Once in place, the eNet announcement caused some of its peers to send traffic over the same unauthorized routes. [...] Tuesday's event may also have ties to Russia, because MyEtherWallet traffic was redirected to a server in that country, security researcher Kevin Beaumont said in a blog post. The redirection came by rerouting domain name system traffic and using a server hosted by Chicago-based Equinix to perform a man-in-the-middle attack. MyEtherWallet officials said the hijacking was used to send end users to a phishing site. Participants in this cryptocurrency forum appear to discuss the scam site. Further reading: Hacker Hijacks DNS Server of MyEtherWallet to Steal $160,000 (BleepingComputer).

Re:

[account_deleted]

Comment removed based on user account deletion

My Ether Wallet again?!

[monkeyzoo]

Again?!
The Classic Ether Wallet version of My Ether Wallet also had a domain attack that ripped people off last year...

https://www.ccn.com/classic-et... [ccn.com]

Why people would trust a web interface for this instead of running a local javascript version I don't know. :/

Re: Wait a minute

[saloomy]

You are confusing two technologies. The DNS systems employed by lets encrypt doo foot server lookups, and it would be difficult to have a coordinated attack hijack all of their authorization servers. The vulnerability here is in BGP, which advertises routes to public IPs. There are no defenses or security against route hijacking, which allows an attack to take place.

Re:

[TechyImmigrant]

>There are no defenses or security against route hijacking

Yes there are. Common web password authentication is not one of them. Blame the browser vendors.

Re:

[sabbede]

Does that bypass or defeat DNSSEC?

Re:

[lastman71]

From the fine article:

"the phishing site used a fake HTTPS certificate that would have required end users to click through a browser warning."

So: yes it's protected from https... if the user is smart enough to do not accept a fake certificate.

Re:

[greenwow]

That's BS unless you can upload a file to the target web server or hijack the DNS that Let's Encrypt uses.

Re:

[lgw]

GPP said "real certificate to a fake site". Did you real that carefully? It's one of the proven DNS-related attacks, although one that's a lot harder these days than when it was first exploited. Attacks included:
* Typosquatting name (or common misspelling)
* Names with different punctuation, e.g. "bank-of-america.com" has a certificate, and it looks like "bankofamerica.com", but I wouldn't trust it.
*Lookalike names via UTF8 tricks (I think every current browser protects against this one now)
* long URLs th

Re:

[Cramer]

Done. And Done. They took over the address space for Amazon's DNS service (Route 53), so they ARE the DNS for many domains. That gives them 100% control of all DNS answers, including where the server is. That traffic now goes to a server they control. It's trivial to get a Let's Encrypt signed certificate under these conditions.

(Of course, these guys didn't even bother to do that.)

Re:

[arglebargle_xiv]

Not just Lets Encrypt, from any CA. DV means you control the domain, which the attackers did. The only difference is that Lets Encrypt gives you the cert while other CAs charge you for it.

Re:

[dev-in-seattle]

But there's a problem, a lot of sites I use in my daily life have out of date security because of the tls version change recently. Chrome tells me that 3 or 4 sites I use where I type my password have dangerous security.

Re:

[Anonymous Coward]

You shouldn't trust a company that can't afford a certificate a year. Less three of them. You sure actually your system certificates are up to date?

Re:

[Anonymous Coward]

Honestly, who wouldn't hack from / to Russia with the current climate. It's the perfect cover.

Re:

[vtcodger]

And anyway, it's all Hillary's fault.

Re:

[Anonymous Coward]

It isn't about WWIII, it's about Hillary losing an election that she bought and paid for.

Re:

[Anonymous Coward]

I love how this gets modded down.

But mod up a conservative post or three, and you will lose your modding opportunities for life.

But sure. Mod down what you don't agree with. Accuse everyone of being a Russian who doesn't agree with you. Live in terror of the Ivan under your bed.

I've already lived through the Cold War once. At least then we knew the other side was literally killing millions of people. Now, it's just about a DNC cartel that would establish its own flavor of the Soviet system here, who sc

Re:

[socheres]

mod up!

Re:Click-bait title?

[jeffasselin]

This was not dns hijacking. It’s BGP hijacking. The routing protocol is horribly outdated and has no security at all. No authentication, no validation. We need a new version of BGP that includes some way to authenticate updates and ensure the routes are for addresses the AS number is authoritative for in some way.

Re:Click-bait title?

[I4ko]

It has security. The edge providers have responsibility to not accept announces from customers for IP subtest that do not belong to them. It seems like the guys in Ohio screwed up and allowed receiving and redistributing any announce whatsoever. This is not backbone. Edges should use BGP filters from customers

Re:Click-bait title?

[lgw]

That's not "security", that's "good intentions".

Re:

[jaymemaurice]

I think you mean best practices. You can't just update the routing protocol and expect people to use it properly.
You can't fix incompetence by simply changing standards all the time.

Really, this attack was made possible by a whole lot of incompetence at many layers.

In the end, DNS will likely fix everything...
https://www.rfc-editor.org/rfc... [rfc-editor.org]

Re:

[arglebargle_xiv]

In the end, DNS will likely fix everything...

Uptake of DANE, and a large pile of other lets-stuff-security-things-in-the-DNS that people have come up with over the years, is about the same as Firefox' market share. Don't count on this to fix anything.

Re:

[jbmartin6]

That's like saying Word for Windows has security because users aren't supposed to enable malicious macros.

Re:

[Anonymous Coward]

No authentication, no validation. We need a new version of BGP that includes some way to authenticate updates and ensure the routes are for addresses the AS number is authoritative for in some way

Authentication normally involves some form of authority. (They even use the same root word). How would you authorize routes when no authority exists?

I think there has to be a better way to do this, but I suspect it's not through authentication or authorization.

Re:

[Cramer]

There are plenty of ways to secure BGP, and routing in general. However, just like the locks on your house, they don't do you any good if you don't actually lock them. We have yet to see a BGP session be hijacked, or an external attacker inject a rogue route into an established BGP session. What we DO see all the time are flaming idiots accepting whatever the hell someone advertises.

Re:

[olsmeister]

I guess technically they never really had control of the DNS resolution.

$160k? Bzzt. Nope. Try again.

[Zocalo]

Try following the "Out" transactions. Eventually (five or six hops) you're going to end up at this wallet [etherscan.io], which currently contains over $17 MILLION USD of ETH. Not bad for a couple of hours work...

Re:

[Anonymous Coward]

If you look at the largest majority of the In transactions in that wallet you'll see that they are all automatted transfers from different mining applications. The guy is a major mining outfit, probably not the scammer.

Re:

[Zocalo]

The fact that all the Out transactions from a demonstrable BGP hijaack and well implemented spoof site scam end up in this account isn't enough to convince you that it's shady as hell and the owner is just a (fairly serious) miner? Try taking a look at the transaction patterns, yes there are a lot of of them, but the patterns are pretty clear to spot; lots of transfers in a short timeframe, a pause, then another batch and so on. Yeah, I'm pretty sure this wallet's owner is almost certainly involved in min

Just stop the Russia-did-it bullshit

[Anonymous Coward]

Why the hell would the Russian government steal a few millions of crypto currency? It's the scale equivalent of a millionaire setting up a sophisticated shop and scheme to heist a few pennies, it just makes no sense.

Re:Just stop the Russia-did-it bullshit

[nuckfuts]

It's not the Russian government doing the stealing. It's the Russian government not giving a shit that Russian citizens are stealing.

Re:Just stop the Russia-did-it bullshit

[dinfinity]

Russian citizens? If you were a hacker (of any nationality), servers in which country would you use to hide your tracks?

Re:

[nuckfuts]

OK, let's say "people operating from hosts in Russia". Either way, I don't think the Russian government cares.

Re:

[nuckfuts]

FFS. How literally do I have to spell out what I'm suggesting?

I don't think the Russian government cares to stop the activity.

Re:

[rtb61]

Appear to operate from a hose in Russia, well at least the last detected, point. Just highjack a server anywhere temporarily. Russian servers are good because the US is so desperate to play spy vs spy shit, they can not sit down with the Russian government and sort out some cross border computer crime investigation treaties. So by the time anything is done about the server, the hackers are long gone.

Of course any espionage agency, from anywhere in the world, could have been involved in this. Not directly,

Re:

[dinfinity]

Agreed, which is exactly why routing your malicious traffic through Russian servers is a great idea.

Re:

[Anonymous Coward]

It's not the Russian government doing the stealing. It's the Russian government not giving a shit that Russian citizens are stealing.

Would you expect the US government to lift a finger against a US citizens stealing vaporcoins from Russians?