How 3 Hours of Amazon Inaction Cost Cryptocurrency Holders $235,000
How 3 Hours of Amazon Inaction Cost Cryptocurrency Holders $235,000
Expand
Amazon recently lost control of the IP addresses it uses to host cloud services and took more than three hours to regain control, a period of time that allowed hackers to steal 235,000 $ in cryptocurrency to users of one of the affected clients, an analysis shows.
Hackers have gained control of approximately 256 IP addresses through BGP hijacking, a form of attack that exploits known weaknesses in a core Internet protocol. Short for Border Gateway Protocol, BGP is a technical specification that organizations that route traffic, known as Autonomous System Networks, use to interact with other ASNs. Despite its crucial function of routing large amounts of data around the world in real time, BGP still relies heavily on the Internet equivalent of word of mouth for organizations to know which IP addresses rightfully belong to which ASNs.
A case of mistaken identity
Last month, Autonomous System 209243, which is owned by UK-based network operator Quickhost.uk, suddenly began advertising its infrastructure as the proper path for other ASNs to access this called a /24 block of IP addresses belonging to AS16509, one of at least three ASNs operated by Amazon. The hacked block included 44.235.216.69, an IP address hosting cbridge-prod2.celer.network, a subdomain responsible for serving a critical smart contract user interface for the Celer Bridge cryptocurrency exchange.
On August 17, the attackers used the hack to first obtain a TLS certificate for cbridge-prod2.celer.network, as they were able to demonstrate to the GoGetSSL certificate authority in Latvia that they controlled the sub -domain. In possession of the certificate, the hijackers then hosted their own smart contract on the same domain and waited for people trying to access the real Celer Bridge page cbridge-prod2.celer.network.
In total, the malicious contract drained a total of $234,866.65 from 32 accounts, according to this post from Coinbase's Threat Intelligence team.
Ti Coinbase Analysis
Coinbase team members explained:
The phishing contract closely resembles the official Celer Bridge contract by mimicking many of its attributes. For any method not explicitly defined in the phishing contract, it implements a proxy structure that forwards calls to the legitimate Celer Bridge contract. The proxy contract is unique to each chain and is configured at initialization. The command below illustrates the contents of the storage location responsible for configuring the phishing contract proxy:
Enlarge / Phishing smart contract proxy storage
Coinbase IT Analysis
The phishing contract steals user funds using two approaches:
All tokens trusted by phishing victims are drained using a custom method with a 4-byte value 0x9c307de6()
The phishing contract overrides the following methods designed to immediately steal a victim's tokens:
send() - used to steal tokens (e.g. USDC)
sendNative() - used to steal native assets (e.g. ETH)
addLiquidity() - used to steal tokens (e.g. USDC)
addNativeLiquidity() - used to steal native assets (e.g. ETH)
Below is an example of a reverse-engineered snippet that redirects resources to the attacker's wallet:
Amazon recently lost control of the IP addresses it uses to host cloud services and took more than three hours to regain control, a period of time that allowed hackers to steal 235,000 $ in cryptocurrency to users of one of the affected clients, an analysis shows.
Hackers have gained control of approximately 256 IP addresses through BGP hijacking, a form of attack that exploits known weaknesses in a core Internet protocol. Short for Border Gateway Protocol, BGP is a technical specification that organizations that route traffic, known as Autonomous System Networks, use to interact with other ASNs. Despite its crucial function of routing large amounts of data around the world in real time, BGP still relies heavily on the Internet equivalent of word of mouth for organizations to know which IP addresses rightfully belong to which ASNs.
A case of mistaken identity
Last month, Autonomous System 209243, which is owned by UK-based network operator Quickhost.uk, suddenly began advertising its infrastructure as the proper path for other ASNs to access this called a /24 block of IP addresses belonging to AS16509, one of at least three ASNs operated by Amazon. The hacked block included 44.235.216.69, an IP address hosting cbridge-prod2.celer.network, a subdomain responsible for serving a critical smart contract user interface for the Celer Bridge cryptocurrency exchange.
On August 17, the attackers used the hack to first obtain a TLS certificate for cbridge-prod2.celer.network, as they were able to demonstrate to the GoGetSSL certificate authority in Latvia that they controlled the sub -domain. In possession of the certificate, the hijackers then hosted their own smart contract on the same domain and waited for people trying to access the real Celer Bridge page cbridge-prod2.celer.network.
In total, the malicious contract drained a total of $234,866.65 from 32 accounts, according to this post from Coinbase's Threat Intelligence team.
Ti Coinbase Analysis
Coinbase team members explained:
The phishing contract closely resembles the official Celer Bridge contract by mimicking many of its attributes. For any method not explicitly defined in the phishing contract, it implements a proxy structure that forwards calls to the legitimate Celer Bridge contract. The proxy contract is unique to each chain and is configured at initialization. The command below illustrates the contents of the storage location responsible for configuring the phishing contract proxy:
Enlarge / Phishing smart contract proxy storage
Coinbase IT Analysis
The phishing contract steals user funds using two approaches:
All tokens trusted by phishing victims are drained using a custom method with a 4-byte value 0x9c307de6()
The phishing contract overrides the following methods designed to immediately steal a victim's tokens:
send() - used to steal tokens (e.g. USDC)
sendNative() - used to steal native assets (e.g. ETH)
addLiquidity() - used to steal tokens (e.g. USDC)
addNativeLiquidity() - used to steal native assets (e.g. ETH)
Below is an example of a reverse-engineered snippet that redirects resources to the attacker's wallet:
Expand
Ti Coinbase Analysis
Enlarge / Phishing smart contract proxy storage
Coinbase IT Analysis
