On 24th of April, for two hours between 11 to 1 UTC, the cryptocurrency Ethereum was stolen from the users trying to access myetherwallet.com. The Ethereum stolen is estimated to be worth $13,000. This was done by an elaborate attack of DNS rerouting and BGP hijacking. It was later discovered that the actors were no one-timers and already had a cryptocurrency worth $17 million in their wallets.
MyEtherWallet published an official statement on Reddit regarding the incident. It clearly stated that there were no issues with the MyEtherWallet security but due to some loopholes in the public DNS servers. You can click on MyEtherWallet Official Statement to view the full statement.
What is BGP and BGP leak?
BGP(Border Gateway Protocol) is a protocol used for communication between the Autonomous Systems. The Internet comprises of various Autonomous Systems that interact with each other for sending/receiving data. The Autonomous Systems are independent networks themselves but require BGP when interacting with other Autonomous Systems. The Autonomous Systems identify each other with Autonomous System Number or ASN. The routers of Autonomous Systems announce their IPs for other Autonomous Systems to identify their network and send packets to the appropriate destination.
Sometimes, an ISP is hijacked by an actor and used to announce the IPs of an Autonomous System that does not authorize it to do so. This is called as BGP leak. The BGP leak can be caused by various reasons. Sometimes, it is caused due to a configuration error. But at most times, BGP leak is caused when someone tries to hijack the BGP router to announce other Autonomous System's IPs without its consent.
What happened exactly?
The users trying to access MyEtherWallet website, a TLS certificate with a self-signed signature appeared on the screen which issued a warning to the users. However, this did not stop many users to continue further. Once the user did that, the actors had the encryption keys. The users were then redirected to some Russian servers by a method called as BGP hijacking.
The users that were requesting to access MyEtherWallet were actually providing their credentials to the actors either by typing them manually or with the help of cookies. Once the actors got the credentials, it was an easy task to log in to the genuine website and drain the users of all the ethereum. Within a matter of minutes, the users found their wallet to be empty.
A significant thing to notice here is that the MyEtherWallet's security was not compromised in any way. Only the users that used the wallet were redirected to another server where they were tricked to give up their credentials.
Also, the DNS service that MyEtherWallet uses is Amazon's Route 53 service which was also never hacked. The actors only announced the Amazon's IPs to look like the other networks were forwarding the data to the Amazon's Route 53.
How did it happen?
On Tuesday, the IP space allocated to Amazon(AS16509) was being announced by another Autonomous System eNet Inc (AS10297). It was then forwarded to Hurricane Electric (AS6939). It meant that many Autonomous Systems recognized the eNet Inc (AS10297) network as Amazon's network.
When the users sent a request to the MyEtherWallet which is hosted on the Amazon Web Services(AWS), the request was forwarded to hijacked Internet Exchange in Chicago. The request was then routed to servers in Russia where the credentials of the users were copied. Although the IPs announced were Amazon's, the actors only accepted requests that were meant to be from MyEtherWallet users.
Conclusion
There were many factors that led to the MyEtherWallet incident. First of all, the users needed to click on the certificate exception to move forward. Only the users that clicked on the certificate exception were affected. Secondly, this exposed the vulnerabilities in the BGP protocol as the transit providers announced the IPs without any verification. Thirdly, the DNS resolvers that resolved the DNS to the fake DNS servers acting as Route 53 DNS servers.
These types of incidents are likely to repeat itself if the communication between networks is not carried out in a secure way. Moreover, we will have to fix the loopholes in BGP protocol and DNS resolution. But most importantly, the ISPs have to be more vigil in sending and receiving data packets.
