Amazon’s Inactivity Cost Crypto Investors $235,000
Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.
According to an inquiry, Amazon did lose access to the IP addresses used to host cloud services, and it took more than three hours to regain control, making hackers one of the affected customers. To dupe its customers out of $235,000 in cryptocurrency, BGP hijacking, an attack that takes advantage of known flaws in the fundamental Internet protocol, gave hackers control of approximately 256 IP addresses. BGP, which stands for Border Gateway Protocol, is a technical standard used to communicate among companies that route traffic, known as autonomous system networks (ASNs).
What Technique Did the Hackers Employ?
The attackers took control of approximately 256 IP addresses by using a technique known as BGP hijacking, which exploits well-known flaws in a core Internet protocol. BGP, or Border Gateway Protocol, is a standard specification that autonomous system networks (ASNs) use to communicate with one another. Despite its critical role in real-time data routing across the globe, BGP Border Gateway Protocol still relies on the Internet equivalent of word-of-mouth to track which IP addresses belong to which ASNs.
A /24 block of IP addresses belonging to AS16509, one of at least three Amazon ASNs, was discovered to be accessible via autonomous system 209243, owned by UK-based network operator Quickhost, in August. The compromised block at 126.96.36.199 included the IP address host cbridge-prod2.celer.network, a subdomain responsible for providing a critical smart contract user interface for the Celer Bridge crypto exchange.
On August 17, the hackers used the hijack to obtain a TLS certificate for cbridge-prod2.celer.network because they could demonstrate to the Latvian certificate authority GoGetSSL that they controlled the subdomain. Following the acquisition of the certificate, the attackers launched their smart contract within the same domain and monitored users who attempted to access the legitimate Celer Bridge website. The fraudulent contract stole $234,866.65 from 32 accounts, according to Coinbase’s threat intelligence team.
Amazon Bitten Twice
A BGP attack on an Amazon IP address resulted in significant bitcoin losses. A similar situation occurred in 2018 while using Amazon’s Route 53 technology for domain servicing. Approximately $150,000 in cryptocurrencies were purchased through MyEtherWallet buyer accounts.
The amount stolen could have been higher if the hackers had used a browser-trusted TLS certificate rather than a self-signed one that required clients to click on a link.
Thus, immediately following the 2018 attack, Amazon (NASDAQ: AMZN) added over 5,000 IP prefixes to the Route Origin Authorizations (ROAs), which are publicly accessible records that identify which ASNs are authorized to broadcast IP addresses.
The change added some security by utilizing an RPKI (Resource Public Key Infrastructure), which uses digital certificates to bind ASN to their correct IP addresses. Last month, the hackers established AS16509 and the more precise /24 path to an AS-SET registered in ALTDB, a free registry for autonomous systems to publish their BGP routing ideas, to circumvent the protections.
Amazon claims it is no longer the only cloud provider that has lost control of its IP addresses due to a BGP attack. BGP has been prone to careless configuration errors and outright fraud for more than two decades. Finally, the safety issue is a sector-wide one that Amazon cannot fully address.