The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.
Aloha. Surprised this hasnt "made the news" over at this list yet. https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-r... https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/2teeVLJ44R... https://twitter.com/barton_paul/status/988788348272734217 TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/) I did digging in my own logs and played it through BGP-play - seems like it was in fact only Hurricane Electric (6939) that actually propagated this prefix to the Internet. Which makes sense since we have seen them being part of the problem in almost all recent hijacks. Can we do some collaborative digging in other tools you have handy (i guess thousand eyes probes etc could be of help here) to track how big the propagation was? Being abit involved in the Ethereum world it could be noted that the login to MyEtherWallet.com is abit special since you actually login with you wallet-seed and not user/pass to the site... giving the possibility to make really swift transfers without having actual access to the real site (for good ....and bad). -- hugge @ 2603
Is MyEtherWallet really doing 500k/hr in business though?
On Apr 24, 2018, at 2:35 PM, Fredrik Korsbäck <hugge@nordu.net> wrote:
Aloha.
Surprised this hasnt "made the news" over at this list yet.
https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-r...
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/2teeVLJ44R...
https://twitter.com/barton_paul/status/988788348272734217
TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
I did digging in my own logs and played it through BGP-play - seems like it was in fact only Hurricane Electric (6939) that actually propagated this prefix to the Internet. Which makes sense since we have seen them being part of the problem in almost all recent hijacks.
Can we do some collaborative digging in other tools you have handy (i guess thousand eyes probes etc could be of help here) to track how big the propagation was?
Being abit involved in the Ethereum world it could be noted that the login to MyEtherWallet.com is abit special since you actually login with you wallet-seed and not user/pass to the site... giving the possibility to make really swift transfers without having actual access to the real site (for good ....and bad).
-- hugge @ 2603
"that depends". we for sure know that 150K or so got immediately snatched of the bat, but how much more wallets is at stake? no one knows. What is known however is that they are trying to deploy smokescreens with tons of transfers moving ETH around wallets and all seems to be ending up sooner or later in this account. https://etherscan.io/address/0xb3aaaae47070264f3595c5032ee94b620a583a39 Which is good for 17MUSD. That doesn't really matter though - i wanna speak what we do about this in the DFZ. Can someone from HE comment on how your ingress route-filtering policy looks like towards your customers? I typically base my peering-relationships on people/operators that i have some kind of level of trust in.
Is MyEtherWallet really doing 500k/hr in business though?
On Apr 24, 2018, at 2:35 PM, Fredrik Korsbäck <hugge@nordu.net> wrote:
Aloha.
Surprised this hasnt "made the news" over at this list yet.
https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-r...
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/2teeVLJ44R...
https://twitter.com/barton_paul/status/988788348272734217
TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
I did digging in my own logs and played it through BGP-play - seems like it was in fact only Hurricane Electric (6939) that actually propagated this prefix to the Internet. Which makes sense since we have seen them being part of the problem in almost all recent hijacks.
Can we do some collaborative digging in other tools you have handy (i guess thousand eyes probes etc could be of help here) to track how big the propagation was?
Being abit involved in the Ethereum world it could be noted that the login to MyEtherWallet.com is abit special since you actually login with you wallet-seed and not user/pass to the site... giving the possibility to make really swift transfers without having actual access to the real site (for good ....and bad).
-- hugge @ 2603
-- hugge
On Tue, Apr 24, 2018 at 08:35:17PM +0200, Fredrik Korsbäck <hugge@nordu.net> wrote a message of 28 lines which said:
Surprised this hasnt "made the news" over at this list yet.
It may be also because NANOG email is handled by Google, who broke its antispam: <nanog@nanog.org>: host aspmx.l.google.com[2a00:1450:400c:c08::1a] said: 550-5.7.1 This message does not have authentication information or fails to pass 550-5.7.1 authentication checks. To best protect our users from spam, the 550-5.7.1 message has been blocked. Please visit 550-5.7.1 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.1 information. v20-v6si12240130wrb.82 - gsmtp (in reply to end of DATA command)
On 4/24/2018 1:35 PM, Fredrik Korsbäck wrote:
Surprised this hasnt "made the news" over at this list yet.
In the old days, the list membership would have noticed the hijack. BGP hijacks used to be a somewhat popular topic, but like spammer chasing, I think everyone grew bored of it and the lack of things actually being done.
TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
Why did they use a self-signed cert? If you control the dns or the endpoint, you can easily get a signed cert. Given how lax people were at detecting this, they would have gotten further if people hadn't been complaining about the cert notification. Jack
participants (4)
-
Daniel Corbe
-
Fredrik Korsbäck
-
Jack Bates
-
Stephane Bortzmeyer