How Amazon’s 3 Hours of Inactivity Cost Crypto Investors $235,000
Amazon took more than three hours to regain control of the IP addresses it utilizes to host cloud-based services after it suddenly lost control. Findings show that because of this flaw, hackers could steal $235,000 in cryptocurrencies from clients of one of the compromised clients.
How The Hackers Did it
By using a technique called BGP hijacking, which takes advantage of well-known flaws in a fundamental Internet protocol, the attackers took control of about 256 IP addresses. BGP, short for Border Gateway Protocol, is a standard specification that autonomous system networks—organisations that direct traffic—use to communicate with other ASNs.
For enterprises to keep track of which IP addresses legitimately adhere to which ASNs, BGP still primarily counts on the Internet equivalent of word-of-mouth, albeit its critical role in routing massive volumes of data throughout the globe on a real-time basis.
The Hackers Became More Crafty
A /24 block of IP addresses that belongs to AS16509, one of at least 3 ASNs run by Amazon, was abruptly announced to be accessible through autonomous system 209243, which is owned by UK-based network operator Quickhost, in August.
The IP address host cbridge-prod2.celer.network, a subdomain in charge of providing a crucial smart contract user interface for the Celer Bridge crypto exchange, was part of the compromised block at 44.235.216.69.
Since they could show the Latvian certificate authority GoGetSSL that they controlled the subdomain, the hackers utilised the takeover to get a TLS certificate for cbridge-prod2.celer.network on August 17.
Once they had the certificate, the perpetrators deployed their smart contract within the same domain and watched for visitors attempting to visit the legitimate Celer Bridge page.
The fraudulent contract siphoned $234,866.65 from 32 accounts, based on the following report from Coinbase’s threat intelligence team.
It Seems Amazon’s Been Bitten Twice
A BGP assault on an Amazon IP address has resulted in substantial bitcoin losses. An unsettlingly identical incident using Amazon’s Route 53 system for domain names service occurred in 2018. Approximately $150,000 worth of cryptocurrency from MyEtherWallet customer accounts. If the hackers had used a browser-trusted TLS certificate instead of a self-signed one that compelled users to click through a notice, the amount stolen probably might have been greater.
Following the 2018 assault, Amazon added over 5,000 IP prefixes to the Route Origin Authorizations (ROAs), which are openly available records that specify which ASNs have the right to broadcast IP addresses.
The change provided some security from an RPKI (Resource Public Key Infrastructure), which employs electronic certificates to link ASN to their correct IP addresses.
This research shows that the hackers last month introduced AS16509 and the more precise /24 route to an AS-SET indexed in ALTDB, a free registry for autonomous systems to publish their BGP routing principles, to get around the defences.
In Amazon’s defense, It is far from the first cloud provider that has lost control of its IP numbers due to a BGP attack. For over two decades, BGP has been susceptible to careless configuration errors and blatant fraud. Ultimately, the security issue is a sector-wide issue that cannot be resolved by Amazon exclusively.