The rerouting of user traffic to Myetherwallet which led to $150,000 of cryptocurrency being taken from customer wallets may not have been the most significant hack in crypto terms but it certainly is notable for its meticulous execution.
The hackers for a period took over the connection to the Domain Name System (DNS) servers of Amazon Web Services which hosts the Myetherwallet website. They did this by hacking into the backbone of the internet – the Border Gateway Protocol (BGP) which is designed to exchange routing information across the internet. The hackers then redirected the traffic going to the Amazon DNS to their own servers, based in Russia, where they posed with a fake version of the Myetherwallet website.
In simple terms, internet traffic destined for the Ethereum website was tricked into going to a fake version of the site for two hours. People would have logged into the fake version allowing the hackers to obtain access to wallets and drain them of digital currency.
A two-pronged attack
Although it sounds like either Amazon Web Services (AWS) or Myetherwallet – or both – was hacked, technically neither of them were. An Amazon spokesperson said in a press statement, “neither AWS nor Amazon Route 53 were hacked or compromised. An upstream Internet Service Provider was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered.”
This attack will be of high interest to those involved in cybersecurity. While DNS re-routing has been a common attack used for years and BGP is a well-known fundamental weak spot in the internet infrastructure it is quite uncommon to see both tactics employed in the same attack and it underscores the fragility of internet security.
Patrick Blampied, an information security manager, agrees that neither Amazon nor Myetherwallet was at fault. “This was not as a result of a flaw or vulnerability within Ethereum or AWS,” he said. “Amazon’s DNS servers would have had no idea that the paths coming from the BGP routers were re routed.”
Companies subscribe to AWS for DNS services. DNS records include an IP address that matches a website url. “Just like a phone contact has a phone number and a persons name. In the cell phone example it’s like hacking the cell tower and rerouting the phone call to another phone. Same phone number but routed elsewhere.”
Blampied said to think of BGP routers like a cell tower: “These routers are the backbone of the internet and often sit within ISP’s [internet service provider] or core network data centers. They all update each other in a domino effect automatically with records of where other routers are, so to manage sending traffic on a path via A to B.”
On top of the estimated $150,000 in ether that was stolen, The Verge reported that the hackers’ wallet was also funded with about $17 million.
“This is a very interesting hack to me as it was very well planned and architected. It’s more to do with the use of very old technology in the BGP protocol that has been used for years to run the internet. This was well-funded and supported, very likely Russia state sanctioned. North Korea is trying this approach. Russia has done this before and routed all internet traffic destined to Mexico via the Ukraine.”
The total access the hackers had to the ISP servers could even suggest an insider job, Blampied said. “Perhaps an employee was paid off or blackmailed.”
Myetherwallet is so far the only entity to report stolen funds but considering the control the hackers had of the ISP server for those few hours and the scale of the operation it wouldn’t be surprising if more instances come to light.
Source: Read Full Article