Analysis shows that Amazon recently lost control of the IP addresses it uses to host cloud services and took more than three hours to regain control, a mistake that allowed hackers to steal $235,000 in cryptocurrency from users of an affected customer.
Hackers have seized approximately 256 IP addresses through BGP hijacking, a form of attack that exploits known vulnerabilities in the underlying Internet protocol. Short for Border Gateway Protocol, BGP is a technical specification used by organizations that route traffic, known as Autonomous System Networks, to interact with other ASNs. Despite its critical function of routing bulk amounts of data around the world in real time, BGP still relies largely on the Internet’s equivalent of word of mouth for enterprises to keep track of which IP addresses correctly belong to ASNs.
Identity error case
Last month, Independent System 209243, which belongs to UK network operator Quickhost.uk, suddenly began declaring that its infrastructure is the right path for other ASNs to access what is known as a block/24 of IP addresses belonging to AS16509, One of them is in at least three ASNs operated by Amazon. The hijacked block contained 188.8.131.52, an IP address hosting cbridge-prod2.celer.network, a subdomain responsible for an important smart contract user interface service for the Celer Bridge cryptocurrency exchange.
On August 17, the attackers used the hijacking to first obtain a TLS certificate for cbridge-prod2.celer.network, since they were able to prove to Latvia’s GoGetSSL certificate authority that they had control over the subdomain. With the certificate in possession, the hijackers hosted their smart contract on the same domain and waited for visits from people trying to access the real Celer Bridge cbridge-prod2.celer.network page.
In all, the malicious contract drained a total of $234,866.65 from 32 accounts, according to this writing from Coinbase’s threat intelligence team.
Coinbase team members explained:
The phishing contract is very similar to the official Celer Bridge contract by emulating many of its features. For any method not explicitly specified in the phishing contract, it implements a proxy structure that forwards calls to the legitimate Celer Bridge contract. Proxy nodes are unique for each chain and are configured upon initialization. The command below shows the contents of the storage slot responsible for configuring the phishing contract agent:
The phishing contract steals users’ money using two methods:
- Any approved tokens are drained from phishing victims using a custom 4-byte method 0x9c307de6()
- The phishing contract eliminates the following methods designed to instantly steal the victim’s tokens:
- send() – used to steal tokens (eg USDC)
- sendNative() – used to steal original assets (eg ETH)
- addL Liquidity() – used to steal tokens (eg USDC)
- addNativeL Liquidity() – used to steal local assets (eg ETH)
Below is a sample snippet designed in reverse that redirects assets to the attacker’s wallet: