Fraud Management & Cybercrime , Governance & Risk Management , Legacy Infrastructure Security

Cryptocurrency Heist: BGP Leak Masks Ether Theft

Essential Internet Infrastructure - DNS, BGP - Remains Vulnerable, Experts Warn
Cryptocurrency Heist: BGP Leak Masks Ether Theft
Attackers used a BGP leak to spoof internet routing information, allowing them to steal credentials from users of

Want to steal cryptocurrency? Then spoof internet routing information to ensure that anyone who attempted to visit - a free, open source web app for storing and sending ether-based tokens - got routed instead to an attacker-controlled site.

See Also: More than Risk Scores - Data Enriched eCommerce Order Review

That was the tactic practiced on Tuesday by one or more attackers beginning at 7:05 a.m. U.S. Eastern Time and continuing for about two hours, after attackers successfully created a border gateway protocol leak. BGP distributes routing information, enabling routers to connect users with specific IP address prefixes.

But attackers, not for the first time, were able to claim control of a range of IP addresses that they shouldn't have controlled, and then reroute all visits to those IP addresses to passively analyze the data, including log-in details for cryptocurrency accounts (see Who's Hijacking Internet Routes?).

Security experts say it's a reminder that BGP and DNS are in desperate need of a security overhaul. "BGP and DNS are the soft underbelly of the web," Alan Woodward, a professor of computer science professor at the University of Surrey, tells Information Security Media Group. "Hence it's not surprising that criminals have used these to hijack people's cryptocurrency."

Target: Amazon DNS Service

In the case of the Tuesday attack, it affected Amazon Route 53, a domain name system web service that's part of Amazon Web Services, says Cisco's Internet Intelligence. The service's name is a reference to port 53 on TCP or UDP, which is where DNS server requests get addressed.

Researchers say nearly 1,300 addresses got rerouted for the two-hour attack period to IP addresses associated with a Russian provider.

"You did not need to accept the hijacked route to be victim of the attack, just use a DNS resolver that had been poisoned," Louis Poinsignon, a network engineer at Cloudflare, says in a blog post.

"Neither AWS nor Amazon Route 53 were hacked or compromised," an AWS spokeswoman tells ISMG. "An upstream internet service provider was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer's domain to the malicious copy of that domain."

Not all regions appear to have been affected by the attack. In affected regions, however, the vast majority of DNS requests to the affected IP ranges traveled via attackers' servers, according to Cloudflare.

The attack wouldn't automatically exploit users. But users that did click through security alerts could have been automatically exploited.

Users accessing a site in the affected IP prefix range would have been presented with this type of alert. (Source: Cloudflare)

"If you were using HTTPS, the fake website would display a TLS certificate signed by an unknown authority (the domain listed in the certificate was correct but it was self-signed). The only way for this attack to work would be to continue and accept the wrong certificate. From that point on, everything you send would be encrypted but the attacker had the keys," Poinsignon says.

Users could then fall victim if they were already logged in, or if they then entered their information into the login page.

"If you were already logged in, your browser will send the login information in the cookie. Otherwise, your username and password would be sent if you typed them in on a login page," Poinsignon says. "Once the attacker got the login information, it used them on the legitimate website to transfer and steal ethereum," aka ether coins.

The fake HTTPS certificate served by the attacker was a bad move, because "people's browsers noticed," meaning anyone who heeded their browser's alert would have been safe. "HTTPS certificate warnings are there for a reason," says Matt Tait, a former information security specialist at Britain's GCHQ intelligence agency who's now a senior cybersecurity fellow at the Robert S. Strauss Center for International Security and Law at the University of Texas at Austin, via Twitter.

"But the attackers could have done a smarter thing: So far as HTTPS certificate providers are concerned, they were then in control of MyEtherWallet,com," says Tait, who tweets as @pwnallthethings. "They could have used LetsEncrypt (or someone else) to issue a live HTTPS cert for it, and browsers would have seen it as valid.

Caveat Cryptocurrency User

It's not clear how many users may have lost ether due to the attack, although some reports have suggested that 515 ether coins - as of Wednesday, worth about $320,000 - had been stolen and was already being rerouted through multiple wallets to make it toughter to trace (see Criminals Hide 'Billions' in Cryptocurrency, Europol Warns).

It's also not clear how many other sites or services might have been subverted.

"The attacks only gained a relatively small amount of currency from - however their wallets in total already contained over [$28 million] of currency," British security researcher Kevin Beaumont, aka @Gossithedog, says in a blog post.

"Whoever the attackers were, [they] are not poor," he says.

MyEtherWallet says it is not responsible for any losses. Users of the site see a guide that begins with "MyEtherWallet is not a bank" and warns: "You and only you are responsible for your security."

The site adds: "We cannot recover your funds or freeze your account if you visit a phishing site or lose your private key."

Attackers Target Cryptocurrency

The heist is one more illustration that cryptocurrency and exchanges' infrastructure continue to be exploited as attackers continue to find numerous vulnerabilities (see Cryptocurrency Infrastructure Flaws Pose Bitcoin Risks).

Attackers have previously used BGP to route internet traffic via attacker-controlled servers, sometimes on a massive scale, potentially for cyber espionage purposes.

And the Tuesday incident is not the first time that attackers have subverted BGP for unauthorized cryptocurrency gain (see Cybercriminals Go Cryptocurrency Crazy: 9 Factors).

In 2014, Dell Secureworks spotted a four-month campaign that involved redirecting traffic from major internet service providers to trick bitcoin-mining pools into sharing their processing power with attackers, giving them more bitcoin-generating power. Dell estimated that the attacker was able to use the free processing power to generate bitcoins worth about $84,000.

But the weaknesses in BGP that attackers are continuing to exploit have been well documented for more than two decades. They're a reminder that "the internet is held together with spit and chewing gum," says Surrey University's Woodward via Twitter.

One ongoing challenge is that BGP is not authenticated, and thus remains at risk of being spoofed.

"BGP spoofing is very difficult to defend against," Woodward wrote in a 2013 blog post that he says remains relevant. "There are ways to mitigate attacks but no universal defense exists."

BGP's Security Makeover: Overdue

But BGP could be updated to ensure that these types of attacks didn't succeed.

Needed fixes would come in the form of updated Domain Name System Security Extensions - DNSSEC - from the Internet Engineering Task Force, but no such efforts are on the horizon. "There has been talk for years about mitigating BGP and the track record for DNSSEC is woeful," Woodward tells ISMG. "Bottom line is that very little has changed in practice in these regards for many years."

In part, that's due to BGP's needed information security makeover facing geopolitical challenges. As Sharon Goldberg, a Boston University computing science professor, noted in a 2014 research paper, the BGP protocol "lacks a single centralized authority that can mandate the deployment of a security solution; instead, every organization can autonomously decide which routing security solutions it will deploy in its own network."

This story has been updated with a statement from AWS.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.