AWS DNS network hijack turns MyEtherWallet into ThievesEtherWallet
Audacious BGP seizure of Route 53 IP addys followed by crypto-cyber-heist
Updated Crooks today hijacked internet connections to Amazon Web Services systems to ultimately steal a chunk of alt-coins from online cryptocurrency website MyEtherWallet.com.
The Ethereum wallet developer confirmed on Tuesday morning that thieves redirected DNS lookups for its dot-com to a malicious website masquerading as the real thing. That meant some people logging in to MyEtherWallet.com were really connecting to a bogus site and handing over their details to criminals, who promptly drained ETH from their marks' wallets.
Victims had to click through a HTTPS error message, as the fake MyEtherWallet.com was using an untrusted TLS/SSL certificate. The bandits have amassed $17m in Ethereum in their own wallet over time.
Crucially, this DNS hijacking was possible after miscreants pulled off a classic BGP hijacking attack on AWS. MyEtherWallet.com uses Amazon's Route 53 DNS service so that when people try to visit the dot-com, AWS looks up and returns to web browsers the IP addresses of the wallet website's web servers.
Between 11am and 1pm UTC today, someone was able to send BGP – Border Gateway Protocol – messages to the internet's core routers to convince them to send traffic destined for some of AWS's servers to a renegade box in the US.
That rogue machine then acted as AWS's DNS service, and gave out the wrong IP addresses for MyEtherWallet.com, pointing some unlucky visitors to the dot-com at a phishing site that stole their money.
Specifically, the following 1,300-odd AWS-owned IP addresses were hijacked via BGP meddling:
BGP hijack this morning affected Amazon DNS. eNet (AS10297) of Columbus, OH announced the following more-specifics of Amazon routes from 11:05 to 13:03 UTC today:— InternetIntelligence (@InternetIntel) April 24, 2018
BGP is the glue of the internet. The 'net breaks and fixes itself over and over, throughout the day, every day, as physical routes between machines and networks open up and close, or are altered. The routing equipment at the core of the internet exchanges BGP messages to maintain their tables of active routes. These routes ensure that if you're using the public IP address of, say, 22.214.171.124 to connect to a system at 126.96.36.199, your packets are sent through the appropriate networks and physical links to reach the right box.
If these table entries are maliciously altered to point traffic away from the intended target, connections to websites and services can be hijacked. It's sometimes a little too easy to pull this off, and it almost invariably ends in fraud.
"As soon as I logged in [to myetherwallet.com], there was a countdown for about 10 seconds and a transfer was made sending the available money I had on the wallet to another wallet," wrote one victim of today's crypto-cash heist.
"I have no idea what happened. I barely download things and thought I was careful enough at least to avoid problems."
In this case, it is thought the thieves used a compromised Equinix-hosted server in Chicago to capture traffic rerouted from AWS's Route 53 DNS service. Technically, the miscreants behind the hijacking could have snatched control of all sites using Route 53 for DNS. The impact of the hijacking could have been a lot worse than a raid on ETH money stores.
The malicious phishing site was hosted in Russia. The only indication something was amiss was the self-signed certificate the phishing page presented, when people tried to connect to MyEtherWallet.com.
It is claimed the network block AS10297, belonging to Ohio-based website hosting biz eNet, announced it could take over traffic destined for some of AWS's IP addresses. eNet peers with big-name carriers Level 3, Hurricane Electric, Cogent, NTT and others, and is therefore plugged into the internet's backbone. eNet was well placed to alter part of the world's internet plumbing to redirect connections to Route 53's DNS service, in other words.
It's highly likely someone took eNet's systems on a joyride – ie: without permission – to make this routing adjustment announcement.
The attack is now believed to have been addressed, with the routes restored, although some DNS caches may still hold the wrong IP addresses for Myetherwallet.com for a while. The site is advising customers to use caution and, if possible, keep their wallets offline. The website is also advising punters to switch their DNS settings from Google's DNS servers to those of Cloudflare, which seemed to have ignored today's switcheroo.
"Users, PLEASE ENSURE there is a green bar SSL certificate that says 'MyEtherWallet Inc' before using MEW," MyEtherWallet's admins pleaded within the past few hours.
"We advise users to run a local (offline) copy of the MEW (MyEtherwallet). We urge users to use hardware wallets to store their cryptocurrencies."
MyEtherWallet is also advising customers to be on the lookout for "refund" scams, where thieves ask users to hand over payment in order to receive a return for their stolen funds. This has become a common scam on Twitter and cryptocurrency message boards.
The attack is also, as you'd expect, causing a stir outside of the Ethereum community. The hijack underscores the need to address fundamental vulnerabilities in BGP, which was designed in the early days of the internet when trust between networks was implied. These days, DNSSEC and HSTS would be a nice start.
Today's attack on @myetherwallet (via BGP hijack of AWS name servers) proves beyond doubt that everyone should implement DNSSEC and HSTS asap!— Patryk Szczygłowski (@epatryk) April 24, 2018
DNSSEC = resolvers would deny fake records
HSTS = browsers would prevent users burning themselves from self-signed certs.
UK-based infosec pro Kevin Beaumont reckons other sites may have been targeted, noting that the Myetherwallet attack was only spotted after the DNS redirects had stopped on their own.
"Mounting an attack of this scale requires access to BGP routers at major ISPs and real computing resource to deal with so much DNS traffic," Beaumont said. "It seems unlikely Myetherwallet.com was the only target, when they had such levels of access."
A spokesperson for AWS was not available for immediate comment. An eNet rep declined to comment: "We're not interested, thank you." ®
Updated to add
An Equinix spokesperson just sent El Reg the following statement:
The server used in this incident was not an Equinix server but rather customer equipment deployed at one of our Chicago IBX data centers. Equinix is in the primary business of providing space, power and a secure interconnected environment for our more than 9,800 customers inside 200 data centers around the world."
We generally do not have visibility or control over what our customers – or customers of our customers – do with their equipment. Our role is to provide the best environment possible for our customers to transform their business.
And a spokesperson for AWS has been in touch to tell us:
Neither AWS nor Amazon Route 53 were hacked or compromised. An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain.
So in short, eNet was commandeered by miscreants to persuade its peers – potentially Hurricane Electric, Level 3, and others – to reroute the internet's traffic from some Route 53 DNS servers to a malicious DNS server that then misdirected visitors to MyEtherWallet.com to a phishing website, all to steal approximately $150,000 in Ethereum.