Amazon recently lost control of the IP addresses it uses to host cloud services and took more than three hours to regain control, a mistake that allowed hackers to steal $ 235,000 in cryptocurrency from the users of one of the affected customers, it shows. an analysis.
Hackers took control of around 256 IP addresses via BGP hijacking, a form of attack that exploits known weaknesses in a basic internet protocol. Short for border gateway protocol, BGP is a technical specification that organizations that route traffic, known as autonomous system networks, use to interoperate with other ASNs. Despite its crucial function in routing bulk amounts of data around the world in real time, BGP still relies heavily on the Internet equivalent of word of mouth for organizations to keep track of which IP addresses rightfully belong to which ASNs. .
A case of wrong identity
Last month, the autonomous system 209243, which belongs to the UK-based network operator Quickhost.uk, suddenly started announcing that its infrastructure was the correct path for other ASNs to access what is known as a block / 24 of IP addresses belonging to AS16509, one of at least three ASNs managed by Amazon. The hijacked block included 22.214.171.124, an IP address that hosted cbridge-prod2.celer.network, a subdomain responsible for serving a critical user interface for smart contracts for the Celer Bridge cryptocurrency exchange.
On August 17, the attackers used the hijack to first obtain a TLS certificate for cbridge-prod2.celer.network, as they were able to prove to the GoGetSSL certification authority in Latvia that they had control over the subdomain. In possession of the certificate, the hijackers then hosted their smart contract on the same domain and waited for visits from people attempting to access Celer Bridge’s real cbridge-prod2.celer.network page.
In all, the malicious contract drained a total of $ 234,866.65 from 32 accounts, according to this article by Coinbase’s threat intelligence team.
Coinbase team members explained:
The phishing contract closely resembles the official Celer Bridge contract by mimicking many of its attributes. For any method not explicitly defined in the phishing contract, implement a proxy framework that forwards calls to the legitimate Celer Bridge contract. The proxy contract is unique for each chain and is configured at initialization. The following command illustrates the contents of the storage slot responsible for configuring the phishing agreement proxy:
Phishing contract steals user funds using two approaches:
- All tokens approved by phishing victims are emptied using a custom method with a 4-byte value 0x9c307de6 ()
- The phishing contract takes precedence over the following methods designed to immediately steal a victim’s tokens:
- send () – used to steal tokens (e.g. USDC)
- sendNative () – used to steal native assets (e.g. ETH)
- addLiquidity () – used to steal tokens (e.g. USDC)
- addNativeLiquidity () – used to steal native assets (e.g. ETH)
Below is an example of a decoded snippet that redirects assets to the attacker’s wallet: