Last month, Amazon lost control of its cloud-based IP address pool for more than three hours, which allowed cyber criminals to steal $235,000 from users of one of AWS’s customers. Using BGP hijacking, hackers gained control over a pool of 256 IP addresses. Briefly describing the BGP protocol, it is a backbone – the basis for the functioning of the Internet network. It provides routing between the networks of Autonomous Systems (AS) of Internet operators and entities that have a fragment of global IPv4 addressing for their own use. Routing on the Internet takes place through communication between the above-mentioned AS numbers based on the routes advertised by these numbers and the selection of the “best” of them to reach the destination.
As technical analysis shows, AS209243, which belongs to the UK operator quickhost.uk, suddenly began advertising its infrastructure as the correct path for other ASs to access AS16509’s 24-bit block of IP addresses – one of the three Amazon managed numbers. It is suspected that the hosting operator Quick Host was also a victim in this attack, rather than being an attacker. The captured block contained the correct IP address 184.108.40.206 resolved to cbridge-prod2.celer.network. It is the subdomain responsible for serving the user smart contacts interface service for the Celer cryptocurrency. A smart contract is a form of software or protocol for the automation and verification of digital contracts or significant events resulting from internal provisions in the contracts. In this case – a transaction of exchanging cryptocurrency from one to another. On August 17, the attackers obtained the TLS certificate for the above-mentioned subdomains because they were able to demonstrate to the GoGetSSL Certification Authority (CA) in Latvia that they have control of the domain cbridge-prod2.celer.network. Probably through executing another vulnerability on this server or using the DNS server, which often serves as the verification of the owner who requests the generation of a new certificate (for example, by adding a specific TXT record, control over the domain and servers is confirmed).
Fig. 1. Section of the cBridge configuration with a substituted false smart contract address, source.
While in possession of the certificate, the hackers hosted their own smart contract for victims and waited for visits from people trying to access the correct cryptocurrency exchange site – cBridge. The malicious smart contract consumed $234,866.65 from 32 victims’ accounts in 3 hours.
Fig. 2. Intercepted certificates, source.
Based on a verification of the certificate IDs on the crt.sh website, it was possible to confirm the acquisition dates and the IP addressing related to the Celer network. The trace of the certificate and addressing could be observed via the Censys platform (Fig. 3).
Fig. 3. Associating the certificate with Celer addressing, source available in Censys.io.
We can see that the IP address associated with the second certificate did not correlate with the IP address assigned to the Celer network. It clearly indicates, that during a short-term substitution, tools such as Censys or search engines were unable to collect the latest route information. Nevertheless, we know that the address 220.127.116.11 was associated with the cbridge-prod2.celer.network domain from the beginning, thus it is not a potential problem (Fig. 4).
Fig. 4. Historical logs of linking the IP address with the organization Amazon.com Inc.
In order to solve the puzzle, reaching for BGP routing graph tools, such as Hurricane Electric operator, might be a good choice.
Fig. 5. Description of the AS16509 number, source.
As it turned out in the AS info column, we received information that Amazon’s AS number broadcasts the so-called bogons – a false IP address that does not belong to the selected AS (Fig. 6).
Fig. 6. Information from HE that Amazon’s AS number broadcasts the so-called bogons
The team of researchers at SlowMist managed to contact the administrators of the Celer network and they obtained the attackers’ IP address from the logs, which were as follows: 54[.]84[.]236[.]100. This address is related to the number AS14618, which (you won’t believe it) at the same time announced fake bogons!
Fig. 7. Confirmation from the HE tool that the attacker also sent a fake address, source.
Looking at the propagation of the aforementioned routes of a malicious AS number, it is confirmed that the IP advertisement path of AS14618 (malicious) was AS16509 (Amazon). Due to the above, BGP hijacking can be confirmed (Fig. 8).
Fig. 8. Confirmation of the BGP hijacking, source.
Given the AS numbers and the IP addressing of both sides of the communication, via BGP Updates, researchers could see a very large exchange of routing tables between 2:48 and 7:48 on August 18, 2022 CST (Central Standard Time).
Fig. 9. Noticed changes in BGP topology, source.
During BGP hijacking, cyber criminals try to withdraw the correct AS number route and replace it with theirs by setting the withdrawal flag on the correct route. When browsing BGP Play records, this is exactly what happened as shown in Fig. 9.
Fig. 10. Confirmed record of AS route change which excluded traffic for 3 hours from AS16509 (Amazon), source.
The above analysis shows that from the beginning, the attackers had everything prepared – in terms of timing, preparation and replacement of the certificate, IP addressing readiness and waiting for the propagation of BGP routes. The criminals, however, had to count a bit on a stroke of luck and in fact it did occur. For the Ethereum network, one of the transactions with a fake smart contract amounted to as much as $156,000, which was more than half of the amount stolen from all 32 transactions.
Fig. 11. Table of losses of 32 transactions during three hours of BGP hijacking attack, source.