Posts

Attack: AWS Route 53 Hijack

In late April, a complex attack was executed in the core internet infrastructure by attackers that redirected users of the MyEtherWallet.com website towards a phishing site.

The incident has been described as a BGP or Border Gateway Protocol “leak” that allowed the attackers to wrongly announce protocol (IP) in a space that’s owned by Amazon’s Route 53 managed DNS service. The hackers were able to hijack DNS entries after executing a BGP route hijack that redirected entire swaths of internet traffic meant for Amazon servers to systems that they controlled. Attackers acquired over $150,000 from the site because users ignored an HTTPS browser warning that stated that the site that was using a self-signed TLS certificate.

Some of the hijacked traffic was used by the MyEtherWallet.com internal team. Because of this discrepancy, attackers were able to point domain name resolutions from the MyEtherWallet.com domain to an IP address located in Russia, where they hosted their fake version of the MyEtherWallet.com website that logged private keys. Users who were logged into their account could have had their credentials compromised and users who had already signed in would have transmitted login information through cookies. Once the credentials had been compromised, attackers then were able to login and steal Ethereum from victims wallets. It was reported that DNS servers were hijacked at 12pm UTC on April 25th, and it appears that the redirects occurred for approximately 2 hours. The incident highlighted a well-known weaknesses in core Internet infrastructure.

Proficio Threat Intelligence Recommendations:

  • Do not input personal information into sites using self-signed TLS certifications
  • Block traffic from IP addresses geo-located in Russia

General Information – Click Here