Amazon DNS re-routed in crypto-cyber-heist

Hackers took command of a server at Equinix in Chicago and re-routed the traffic using a man-in-the-middle attack for nearly two hours

Ramy Caspi
Read +
Follow Us

Yesterday it has been reported that Amazon’s DNS server was hijacked using an audacious BGP seizure of Route 53 IP.

The hackers took command of a server at Equinix in Chicago and re-routed the traffic using a man-in-the-middle attack for nearly two hours which allowed them to intercept traffic to Amazon Route 53 customers.

Presently, it is known that Ethereum wallet developer MyEtherWallet.com, a cryptocurrency website, confirmed on Tuesday morning that traffic was intercepted, and redirected to a host server in Russia. That meant some people logging in to MyEtherWallet.com were really connecting to a fake website and handing over their details to criminals, who promptly stole those coins from users who were logged in.

The attackers only managed to steal relatively small amounts from MyEtherWallet.com, but the overall total amounts to £20m.

This attack, requires access to Border Gateway Protocol (BGP) routers at major ISPs, and a network of computer resources to deal with the volume of requests for traffic flow.

Specifically, the following 1,300-odd AWS-owned IP addresses were hijacked via BGP meddling:

BGP hijack this morning affected Amazon DNS. eNet (AS10297) of Columbus, OH announced the following more-specifics of Amazon routes from 11:05 to 13:03 UTC today: 

However, the hackers did not have the appropriate SSL certificate, when using the man-in-the-middle attack, which ultimately alerted users that something was wrong.

“Users, PLEASE ENSURE there is a green bar SSL certificate that says “MyEtherWallet Inc” before making any transactions. We advise users to run a local (offline) copy of the MEW (MyEtherWallet). We urge users to use hardware wallets to store their cryptocurrencies,” it said in a Reddit statement.

BGP and DNS security vulnerabilities are well known, and this type of attack is not new, however this is the largest attack which combines both exploits and underscores the fragility of internet security.