In 300 Feet, Exit Right Off of Route 53: Attackers Exploit Amazon's DNS Service to Phish Users
I'm hoping that many of my readers use the Waze driving traffic application and read the title of this entry in the Waze voice. For nearly two hours on April 24, 2018, DNS traffic, which is the phone book of internet routing, translating human-readable hostnames such as google.com to machine-readable addresses such as 220.127.116.11, was hijacked by an unknown attacker. The attackers maliciously used Border Gateway protocol (BGP), a protocol used by routers to exchange routing and reachability information since 1994, to trick users into going to compromised versions of MyEtherWallet, a popular online cryptocurrency website. Malicious BGP advertisements caused unsuspecting users to send their traffic to Amazon's DNS service, Route 53.
The first step of this attack was to exploit an efficiency mechanism in BGP where traffic is steered towards more specific routes over less specific routes. For example, if a letter is sent to 123 Main Street, the route to the 100-block of Main Street would win over the route just "Main Street". The attackers strategically poisoned the BGP route tables to send DNS traffic meant for MyEtherWallet to their own DNS server by using a more specific route than what MyEtherWallet used at the time prior to attack, information that is public and easily accessible. A server hosted in Equinex Chicago was the first to advertise the compromised routes and allowed the compromised routes to spread quickly. While many providers viewed the new routes as suspicious since they overlap with Amazon's popular Route 53 service and therefore rejected them, other providers who do not practice such good BGP hygiene accepted the new compromised routes. It is important to note that Amazon and their Route 53 service was never compromised attackers compromised an upstream provider to steer traffic to a malicious copy of MyEtherWallet.
In a rare move, attackers then sent the traffic to malicious DNS servers instead of sending users to a fake version of MyEtherWallet hosted in Russia, effectively exploiting the lack of integrity checks in BGP route advertising and the lack of integrity checks in the DNS responses. Rather than act as a Man-in-the-Middle to capture session traffic, the attackers in this instance used the opportunity to phish users of MyEtherWallet. This attack pattern is unusual because it requires users to willfully provide information to the attackers and bypass several warnings, rather than passively capture information that will be decrypted offline at a later time.
Lastly, attackers exploited what is widely viewed as the weakest link in information security: the user. After the user was sent to the malicious DNS server and a malicious copy of MyEtherWallet, the user would have had to click through several warnings that the certificate authority signing the SSL Certificate was untrusted. Despite the best effort of every major browser vendor out there warning users not to continue to websites with untrusted SSL Certificates, many users still ignored these warnings and entered their MyEtherWallet credentials, which were then sent to the attackers. There are clear documented cases of two factor authentication being compromised when an attacker owns the browser session so even the strongest time-based One Time Password as a second factor would not have been effective in stopping this attack. The attacker monitors or uses bots to monitor when a victim is entering their credentials and one-time-password (OTP) into the compromised site. The credentials and one-time-password are entered into the legitimate version of MyEtherWallet before the OTP expires and the victim is presented with a screen noting that the site is under maintenance ant to come back later.
The attackers managed to steal around $150,000 US Dollars worth of Ethereum (Ether), but a look into the wallets where the stolen Ether was sent to shows that the attackers have amassed over $30 million US dollars in that wallet, presumably through illegal means.
While many seasoned information security professionals shoud know not to enter any sensitive information on a website containing invalid SSL certificates, this attack underscores weaknesses in every step of an internet transaction. From BGP routes, to DNS, to malicious copies of websites, the open internet from a security perspective is broken today. Updates to antiquated systems like DNS Security Extensions (DNSSEC) for DNS would provide additional controls to prevent these types of attacks, but would require browser developers, DNS servers, internet providers, and website developers to all work together and update their systems. User awareness training is the obvious low-hanging fruit, but also the most difficult to propagate. Using a Cloud Firewall product with Destination NAT (DNAT) can overwrite malicious DNS servers with known-good servers and prevent users from DNS poisoning attacks. With the rising value of cryptocurrency and their ability to transfer without a middleman or reversal capabilities make phishing attacks against cryptocurrency exchanges extremely lucrative.