Amazon recently lost control of IP addresses it uses to host cloud services and took more than three hours to regain control, a flaw that allowed hackers to steal $235,000 worth of cryptocurrency from users stealing one of the affected customers, as an analysis shows.
The hackers took control of approximately 256 IP addresses through BGP hijacking, a form of attack that exploits known vulnerabilities in a core Internet protocol. BGP, short for Border Gateway Protocol, is a technical specification that organizations that forward traffic, known as Autonomous Systems Networks, use to interoperate with other ASNs. Despite its critical role in routing large amounts of data across the globe in real-time, BGP still largely relies on the Internet’s equivalent of word of mouth to allow organizations to track which IP addresses legitimately belong to which ASNs.
A case of mistaken identity
Last month, autonomous system 209243, owned by a UK-based carrier Quickhost.uk, suddenly began proclaiming that its infrastructure was the right way for other ASNs to access a so-called /24 block of IP addresses belonging to AS16509, one of at least three ASNs operated by Amazon. The hijacked block contained 18.104.22.168, an IP address representing cbridge-prod2.celer.nethosting, a subdomain responsible for providing a critical smart contract UI for cryptocurrency exchange Celer Bridge.
On August 17, the attackers used the hijack to first obtain a TLS certificate for cbridge-prod2.celer.network, as they could prove to the GoGetSSL certificate authority in Latvia that they control the subdomain. With possession of the certificate, the hijackers then hosted their own smart contract on the same domain and awaited visits from people trying to access Celer Bridge’s genuine cbridge-prod2.celer.network page.
In total, a total of $234,866.65 was deducted from 32 accounts by the malicious contract this attribution by Coinbase’s Threat Intelligence Team.
Coinbase team members explained:
The phishing contract closely resembles the official Celer Bridge contract, mimicking many of its characteristics. For all methods not explicitly defined in the phishing contract, it implements a proxy structure that forwards calls to the legitimate Celer Bridge contract. The proxy contract is unique for each chain and is configured at initialization. The following command illustrates the contents of the memory slot responsible for the phishing contract proxy configuration:
The phishing contract steals users’ funds using two approaches:
- All tokens approved by phishing victims are flushed using a custom method with a 4-byte value 0x9c307de6().
- The phishing contract overrides the following methods designed to instantly steal a victim’s tokens:
- send()- used to steal tokens (e.g. USDC)
- sendNative() — used to steal native assets (e.g. ETH)
- addLiquidity() – used to steal tokens (e.g. USDC)
- addNativeLiquidity() — used to steal native assets (e.g. ETH)
Below is an example of a reverse engineered snippet that redirects assets to the attacker’s wallet: