Tuesday, October 4, 2022
Home TECH How 3 Hours of Amazon Inaction Cost Crypto Holders $235,000

How 3 Hours of Amazon Inaction Cost Crypto Holders $235,000

Amazon recently lost control of the IP addresses it uses to host cloud services and took more than three hours to regain control, a time that allowed hackers to steal $235,000 in cryptocurrency from the users of one of the customers. affected, an analysis shows.

Hackers took control of approximately 256 IP addresses using BGP hijacking, a form of attack that exploits known weaknesses in a core Internet protocol. Short for border gateway protocol, BGP is a technical specification that organizations that route traffic, known as autonomous system networks, use to interoperate with other ASNs. Despite its crucial role in routing vast amounts of data around the world in real time, BGP still relies heavily on the Internet equivalent of word of mouth for organizations to track which IP addresses legitimately belong to which ASNs.

A case of mistaken identity

Last month, autonomous system 209243, which belongs to UK-based network operator Quickhost.es, suddenly began advertising that its infrastructure was the proper route for other ASNs to access what is known as the /24 block of IP addresses belonging to AS16509, one of at least three ASNs operated by Amazon. The hijacked block included 44.235.216.69, an IP address hosting cbridge-prod2.celer.network, a subdomain responsible for serving a critical smart contract user interface for the Celer Bridge cryptocurrency exchange.

On August 17, the attackers used hijacking to first obtain a TLS certificate for cbridge-prod2.celer.network, as they were able to prove to the GoGetSSL certificate authority in Latvia that they had control over the subdomain. Possessing the certificate, the hijackers hosted their own smart contract on the same domain and waited for visits from people trying to access the real Celer Bridge page cbridge-prod2.celer.network.

In all, the malicious contract drained a total of $234,866.65 from 32 accounts, according to it is written from the Coinbase threat intelligence team.

Coinbase IT Analysis

Coinbase team members explained:

The phishing contract closely resembles the official Celer Bridge contract by mimicking many of its attributes. For any method not explicitly defined in the phishing contract, it implements a proxy structure that forwards calls to the legitimate Celer Bridge contract. The proxy contract is unique for each chain and is configured at initialization. The following command illustrates the content of the storage slot responsible for the phishing contract proxy configuration:

Phishing Smart Contract Proxy Storage
Enlarge / Phishing Smart Contract Proxy Storage

Coinbase IT Analysis

The phishing contract steals user funds using two approaches:

  • All tokens passed by phishing victims are drained using a custom method with a 4-byte value 0x9c307de6()
  • The phishing contract overrides the following methods designed to immediately steal a victim’s tokens:
  • send() – used to steal tokens (eg USDC)
  • sendNative() – used to steal native assets (e.g. ETH)
  • addLiquidity() – used to steal tokens (eg USDC)
  • addNativeLiquidity() – used to steal native assets (eg ETH)

Below is a sample reverse engineered snippet that redirects assets to the attacker’s wallet:

Phishing smart contract snippet
Enlarge / Phishing smart contract snippet

Coinbase IT Analysis

RELATED ARTICLES

How a small electoral business became a conspiracy theory target

At an invitation-only conference in August at a secret location southeast of Phoenix, a group of election deniers revealed a new conspiracy theory about...

A huge new data set pushes the boundaries of neuroscience

So neuroscientists use an approach called "dimensionality reduction" to make such a visualization possible: They take data from thousands of neurons and, by applying...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Technology must allow doctors to be doctors

When my doctor walks into the exam room, I want him to pay attention to me, not the computer. Not only is that...

System outages reported at some public hospitals and health facilities in Singapore

Over the past six weeks, system outages have been reported at some public hospitals and health centers of the National Health Group and the...

Mental health crisis teams are no longer just for cities

Tony Leys and Arielle ZiontsNEWTON, Iowa — Jeff White knows what can happen when 911 dispatchers get a call about someone feeling down or...

Supreme Court Quiz: How Much Do You Know?

The United States Supreme Court begins a new term on the first Monday in October. This is a landmark term because Ketanji Brown...