How 3 hours of inaction from Amazon cost cryptocurrency holders $235,000

How 3 hours of inaction from Amazon cost cryptocurrency holders $235,000

How 3 hours of inaction from Amazon cost cryptocurrency holders $235,000

Amazon recently lost control of IP addresses it uses to host cloud services and took more than three hours to regain control, a lapse that allowed hackers to steal $235,000 in cryptocurrency from users of one of the affected customers, an analysis shows.

The hackers seized control of roughly 212 IP addresses through BGP hijacking, a form of attack that exploits known weaknesses in a core Internet protocol. Short for border gateway protocol, BGP is a technical specification that large network operators, known as autonomous system networks, use to interoperate with other ASNs. Despite its crucial function in routing wholesale amounts of data across the globe in real time, BGP still largely relies on the Internet equivalent of word of mouth for organizations to track which IP addresses rightfully belong to which ASNs.

A case of mistaken identity

Last month, autonomous system 209243, which belongs to UK-based network operator Quickhost.uk, suddenly began announcing its infrastructure was the proper path for other ASNs to access what’s known as a /24 block of IP addresses belonging to AS-16509, one of at least three ASNs operated by Amazon. The hijacked block included 44.235.216.69, an IP address hosting cbridge-prod2.celer.network, a subdomain responsible for serving a critical smart contract user interface for the Celer Bridge cryptocurrency exchange.

On August 17, the attackers used the hijacking to first obtain a TLS certificate for cbridge-prod2.celer.network, since they were able to demonstrate to certificate authority GoGetSSL in Latvia that they had control over the subdomain. With possession of the certificate, the hijackers then hosted their own smart contract on the same domain and waited for visits from people trying to access the real Celer Bridge cbridge-prod2.celer.network page.

In all, the malicious contract drained a total of $234,866.65 from 32 accounts, according to this writeup from the threat intelligence team from Coinbase.

Coinbase TI analysis

The Coinbase team members explained:

The phishing contract closely resembles the official Celer Bridge contract by mimicking many of its attributes. For any method not explicitly defined in the phishing contract, it implements a proxy structure which forwards calls to the legitimate Celer Bridge contract. The proxied contract is unique to each chain and is configured on initialization. The command below illustrates the contents of the storage slot responsible for the phishing contract’s proxy configuration:

Phishing smart contract proxy storage
Enlarge / Phishing smart contract proxy storage

Coinbase TI analysis

The phishing contract steals users’ funds using two approaches:

  • Any tokens approved by phishing victims are drained using a custom method with a 4byte value 0x9c307de6()
  • The phishing contract overrides the following methods designed to immediately steal a victim’s tokens:
  • send()- used to steal tokens (e.g. USDC)
  • sendNative() — used to steal native assets (e.g. ETH)
  • addLiquidity()- used to steal tokens (e.g. USDC)
  • addNativeLiquidity() — used to steal native assets (e.g. ETH)

Below is a sample reverse engineered snippet which redirects assets to the attacker wallet:

Phishing smart contract snippet
Enlarge / Phishing smart contract snippet

Coinbase TI analysis

Source link

Related post

Important To Teach People About Bitcoin – Bitcoin Magazine

Important To Teach People About Bitcoin – Bitcoin Magazine

This is an opinion editorial by Phil Snyder, professor, video director and editor. While first developing my Bitcoin course at the…
All Year Cooling and Heating of Coral Springs, FL to Accept Cryptocurrency Payments

All Year Cooling and Heating of Coral Springs, FL…

All Year Cooling and Heating is South Florida’s #1 Choice for Same Day AC Service & Installation Tommy Smith, president of…
Mike Novogratz Says Case for Bitcoin Is “Playing Out Every Day” As Price Plunges

Mike Novogratz Says Case for Bitcoin Is “Playing Out…

Alex Dovbnya Mike Novogratz continues to see a strong bullish case for Bitcoin as many fiat currencies keep losing their value…

Leave a Reply

Your email address will not be published.