Thursday, 24 September 2020

Hackers hijacked traffic through Amazon servers for two hours, undetected

The event, which only lasted about two hours on Tuesday, April 24, saw traffic to Amazon’s cloud web hosting servers redirected to malicious websites.
Not all of the traffic, just a small slice of it, about 1,300 IP addresses, according to Oracle. The attack saw traffic to MyEtherWallet redirected a malicious version of itself, where the attackers could siphon cryptocurrency off of users who thought they were logging into their cryptocurrency wallets.

One such site, MyEtherWallet, was cloned by attackers but likely didn’t result in the kind of massive theft we’re used to seeing when cryptocurrency wallets or exchanges are attacked. According to Ars Technica, the cryptocurrency wallet into which the fake MyEtherWallet site was dumping its cryptocurrency already had about $27 million worth of cryptocurrency in it.

Details like this have led some to believe the attack could have been state-sponsored, potentially with ties to Russia.

“So far the only known website to have traffic redirected was to, a cryptocurrency website. This traffic was redirected to a server hosted in Russia, which served the website using a fake certificate — they also stole the cryptocoins of customers,” wrote security researcher Kevin Beaumont. “The attacks only gained a relatively small amount of currency from — however their wallets in total already contained over [20 million pounds] of currency. Whoever the attackers were are not poor.”

It may not have been the first time these hackers have staged such an attack either, according to Ars. There were a couple suspiciously similar attacks in 2013 when hackers hijacked internet traffic to a number of U.S. companies, routing the traffic through Russian ISPs. Affected companies included Visa, MasterCard, Apple, and Symantec. Eight months later, another set of U.S. companies saw their traffic hijacked with the same kind of exploit.

These 2013 attacks used the same “border gateway protocol” exploit as today’s attack. Beaumont elaborated that today’s attack requires access to sophisticated equipment, which leads him to believe MyEtherWallet was not likely the only target — just the one we happened to notice.

“Mounting an attack of this scale requires access to BGP routers are major ISPs and real computing resource to deal with so much DNS traffic. It seems unlikely was the only target, when they had such levels of access,” Beaumont wrote. “Additionally, the attackers failed to obtain an SSL certificate while man-in-the-middle attacking the traffic — a very easy process — which alerted people to the issue at scale.”

Legal disclaimer: The insight, recommendations and analysis presented here are based on corporate filings, current events, interviews, corporate press releases, and what we've learned as financial journalists. They are presented for the purposes of general information only, and all the information belongs to the original publishers. These may contain errors and we make no promises as to the accuracy or usefulness of the information we present. You should not make any investment decision based solely on what you read here.

Creamcoin Marketcap