Amazon recently lost control of IP addresses it uses to host cloud services and it took more than three hours to regain control, a lapse that allowed hackers to steal $235,000 in cryptocurrency from users of one of the affected customers, an analysis shows.
The hackers seized control of about 256 IP addresses through BGP hijacking, a form of attack that exploits known weaknesses in a core Internet protocol. Short for border gateway protocol, BGP is a technical specification that organizations that route traffic, known as Autonomous System Networks, use to interoperate with other ASNs. Despite its vital function in routing wholesale volumes of data across the globe in real-time, BGP still relies heavily on the Internet equivalent of word-of-mouth for organizations to track which IP addresses rightfully belong to which ASN ‘is.
A case of mistaken identity
Last month, autonomous system 209243, which belongs to UK network operator Quickhost.uk, suddenly began announcing that its infrastructure was the right path for other ASNs to access what is known as a /24 block of IP addresses belonging to AS16509, one of at least three ASNs operated by Amazon. The hijacked block included 22.214.171.124, an IP address that hosts cbridge-prod2.celer.network, a subdomain responsible for serving a critical smart contract user interface for Celer Bridge’s cryptocurrency exchange.
On August 17, the attackers used the hijack to first obtain a TLS certificate for cbridge-prod2.celer.network, when they were able to demonstrate to the certificate authority GoGetSSL in Latvia that they were in control of the subdomain. Possessing the certificate, the hijackers then hosted their own smart contract on the same domain and waited for visits from people trying to access the real Celer Bridge cbridge-prod2.celer.network page.
In total, the malicious contract drained a total of $234,866.65 from 32 accounts, according to this write-up from the Coinbase threat intelligence team.
The Coinbase team members explained:
The phishing contract closely resembles the official Celer Bridge contract by mimicking many of its properties. For any method not explicitly defined in the phishing contract, it implements a proxy structure that forwards calls to the legitimate Celer Bridge contract. The proxy contract is unique to each chain and is configured at initialization. The command below illustrates the contents of the repository responsible for the phishing contract proxy configuration:
The phishing contract steals users’ money using two approaches:
- All tokens accepted by phishing victims are drained using a custom method with a 4byte value 0x9c307de6()
- The phishing contract overrides the following methods designed to immediately steal a victim’s tokens:
- send()- used to steal tokens (eg USDC)
- sendNative() — used to steal native assets (eg ETH)
- addLiquidity() – used to steal tokens (eg USDC)
- addNativeLiquidity() — used to steal native assets (eg ETH)
Below is an example of a reverse engineered snippet that redirects assets to the attacker’s wallet: