Amazon’s Route 53 DNS implicated in attack

Ether wallets were emptied on Tuesday, as attackers exploited a vulnerability in Amazon’s domain name system (DNS), allowing them to steal $152,000 in what is being called a “decade-old hacking technique”.

The heist took place on MyEtherWallet – a cryptocurrency exchange where users can safely send and receive funds through the maintenance of their own encryption keys.

Security on the open-source interface, however, wasn’t the cause of the burglary. It was, instead, a combination of users ignoring safety warnings and the deployment of a DNS hijacking technique that has little defense against it.

Acknowledging the incident in a Reddit post on Tuesday, MyEtherWallet said: “This is not due to a lack of security on the @myetherwallet platform.

“It is due to hackers finding vulnerabilities in public facing DNS servers.”

It added: “It is our understanding that a couple of DNS registration servers were hijacked at 12PM UTC to redirect myetherwallet[dot]com users to a phishing site.”

DNS is a key part of the internet’s infrastructure that directs users to a website’s IP address.

Attackers can intercept these requests and reroute users to malicious websites that appear legitimate by posing as the DNS – a technique known as BGP hijacking.

The “decade-old hacking technique,” MyEtherWallet said, meant that some individuals ignored warnings of the site’s fake SSL certificate – a security verifier and a surefire way to mitigate BGP hacking.

It is not known what DNS vulnerability was exploited, but MyEtherWallet said that most of those affected were using Google’s public DNS.

Amazon’s cloud-based Route 53 DNS – one of the largest for internet traffic – was also outlined by security researcher Kevin Beaumont to have played an integral role in the attack, meaning that assailants were able to redirect the traffic of that found on Route 53 users.

Only MyEtherWallet appears to have been targeted, Beaumont noted.

Amazon responded with a statement that said: "Neither AWS nor Amazon Route 53 were hacked or compromised.

“An upstream Internet Service Provider was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered.

“These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain."

MyEtherWallet recommended a switch to Cloudflare DNS servers as it investigated the incident further.

Earlier this month, The Daily Swig reported on the release of Cloudflare’s new DNS tool – a preliminary research project into how the DNS operates that is running in partnership with the Asia Pacific Network Information Centre (APNIC).