The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
Attackers used a BGP leak to trick users and steal $150,000 in cryptocurrency on Tuesday.
Occasionally, the Internet serves up a reminder that the network is pretty fragile and highly susceptible to bad people doing bad things. Tuesday was one of those days.
For about two hours on Tuesday afternoon, traffic intended for one of Amazon’s DNS resolvers was hijacked and rerouted to a server controlled by an unknown attacker. The attacker used the server as a man-in-the-middle to serve up a phishing site that impersonated a cryptocurrency site called MyEtherWallet dot com. Over the lifespan of the hijacking event, the attackers were able to steal about $150,000 in cryptocurrency from users who deposited funds in what they thought was a legitimate site.
The attackers behind this operation haven’t been identified yet, but the method that they used is as old as the network itself. The attackers were somehow able to cause eNet, a large service provider, to announce an incorrect route for IP space that’s allocated to Amazon’s Route 53 service. This essentially told the Internet’s DNS servers that the IP space belonged to eNet rather than Amazon. The attackers did this through a BGP leak, a technique that has been known for decades and is unfortunately still relatively common.
“The cause of a BGP leak is usually a configuration mistake: a router suddenly announces the IPs it learned. Or smaller prefixes used internally for traffic engineering suddenly becoming public,” Louis Poinsignon, a network engineer at Cloudflare, wrote in an analysis of the attack.
“But sometimes it is done with a malicious intent. The prefix can be re-routed through in order to passively analyze the data. Or somebody can also set-up a service to reply illegitimately instead.”
The Definitive Guide to Data Loss Prevention
That’s what happened on Tuesday, and while we know that the attackers targeted MyEtherWallet, it’s not clear whether that site was the only target. Security researcher Kevin Beaumont said there likely were other targets that just aren’t known yet.
“Mounting an attack of this scale requires access to BGP routers at major ISPs and real computing resource to deal with so much DNS traffic. It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access. Additionally, the attackers failed to obtain an SSL certificate while man-in-the-middle attacking the traffic — a very easy process — which alerted people to the issue at scale,” Beaumont wrote.
The fact that there are problems with BGP (Border Gateway Protocol) is not news. The members of the L0pht warned Congress in 1998 that there was a serious weakness in BGP that could result in the entire Internet failing. That was not hyperbole, and the weaknesses that still exist in the protocol and the DNS system threaten the stability and security of the network as a whole. In this most recent incident, the attackers made a mistake in not getting a valid SSL certificate, an error that caused browsers to warn users that the phishing site was just that. A more careful operation might have been much more devastating.
“The security vulnerabilities in BGP and DNS are well known, and have been attacked before. This is the largest scale attack I have seen which combines both, and it underscores the fragility of internet security,” Beaumont said. “It also highlights how almost nobody noticed until the attack stopped. There is a blind spot.”
Water leak image via Magnus D's Flickr photostream, Creative Commons 2.0