Hijackers used the attack to steal cryptocurrency
Amazon lost control of 1,300+ Amazon Cloud Services IP address for two hours yesterday, when hackers used a Border Gateway Protocol (BGP)-hijacking to reroute traffic to rogue destinations.
The incident hijacked addresses belonging to Route 53, Amazon’s domain name system service, Internet Intelligence said on Twitter.
Those responsible used the hijack to steal $17 million in ETH alt-coins from online cryptocurrency website MyEtherWallet.com.
Amazon officials said: “Neither AWS nor Amazon Route 53 were hacked or compromised. An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain.”
Old but Effective
MyEtherWallet.com said: “This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system. It can happen to any organization, including large banks. This is not due to a lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers. A majority of the affected users were using Google DNS servers. We recommend all our users to switch to Cloudflare DNS servers in the meantime.”
Engin Kirda, co-founder and chief architect at Lastline said: “Yet another BGP-hijacking attack. We have seen such attacks (or bugs) in the past and the incident reminds me of how Pakistan managed to redirect a lot of Youtube traffic back in 2008.”
He added: “What we are actually seeing is that the main routing infrastructure of the Internet in the last 10 years has not really changed and that such attacks are still possible today. Unfortunately, though, we are now faced with adversaries that are more motivated and that want to make a quick profit as the Amazon attack now demonstrates.”