On April 24, 2018 several media outlets (e.g. Forbes) reported a cyberattack directed at users of MyEtherWallet, a web based service that facilitates the exchange and conversion of cryptocurrency.
Details are still emerging, but it appears the attack combined a couple of techniques that resulted in users of the MyEtherWallet service transferring their cryptocurrency to the attackers.
This two-pronged attack first used a technique called BGP hijacking. BGP is the routing protocol used on the internet by routers to exchange information regarding where traffic should be sent to reach specific IP addresses. Hackers can exploit BGP to induce routers to misdirect traffic. In this case, the attackers specifically targeted the IP addresses of the domain name servers operated by Amazon’s Route 53 service. This traffic would come primarily from DNS resolvers looking for the IP addresses of domains for which Route 53 is the authoritative DNS. So instead of the resolver requests being forwarded to Route 53 DNS, the requests were forwarded to a Russian network operated by the attackers.
The second phase involved exploiting DNS itself. After the attackers directed the resolver requests that should have gone to the Route 53 nameservers to their own nameservers, they then configured the nameservers to respond to requests for myetherwallet.com. (All other requests they could ignore, resulting in SERVFAIL responses. A more sophisticated attack might have avoided detection by passing those requests back to the internet and on to Route 53). The attackers’ DNS servers sent the IP address of their own bogus website masquerading as myetherwallet.com to the requesting resolvers, resulting in that IP address being sent to the end users trying to get to the legitimate website. Once connected, many (but not all) users signed in to the bogus website and then had their money stolen when their credentials were used to log in to the real MyEtherWallet site. The more cautious users did not sign in because the bogus site did not have a valid certificate and a warning popped up in their browsers. Others chose to ignore the warning.
This is not the first time cryptocurrency websites have been the targets of this form of attack.
Some Takeaways
The takeaways from this and other similar events depend on your perspective. As an end user, the most obvious is not to ignore security warnings, especially when accessing sites with valuable data (your money or personal information).
As a provider of web based services involving valuable/sensitive data, it is not enough to rely on your users always doing the right thing. You can’t prevent BGP hijacking as this is not within your control, but you can protect your DNS information. These attacks depend on resolvers accepting bogus DNS information and DNSSEC is the best defense against that happening. With DNSSEC, validating resolvers such as Google Public DNS check the digital signatures of the records they receive from authoritative servers. Resolvers validate those signatures using information domain owners provide (via their registrar) to the TLD (top level domain). If the signature doesn’t check out, the resolver will reject the DNS information. This is entirely within the control of the domain owner and it protects users (the customers) from this form of attack. This event and numerous others like it highlight the need for domain owners, particularly those hosting financial or healthcare information, to protect their zones with DNSSEC. While not all attacks can be successfully prevented, DNSSEC does provide a proven defense against DNS cache poisoning and man-in-the-middle attacks.
A second takeaway relates to DNS redundancy. All requests from the affected resolvers that should have gone to Route 53 went to the attacker’s network. This results in “collateral damage” because users on those resolvers would not be able to reach any domains being served by Route 53, as the attacker simply failed to respond to queries other than those for myetherwallet.com. With a separate, second DNS network in place, the resolvers would automatically retry their requests and get responses. As it was, users on those resolvers received SERVFAIL messages. BGP hijacking as well as unintended BGP operational errors can affect the availability of your DNS service. DNS redundancy is an effective safeguard to ensure your customers can find your web based services on the internet.
For more information, please see our Solutions Pages on DNSSEC and DNS Redundancy.