3 hours of inaction from Amazon cost cryptocurrency owners $235,000

The analysis shows that Amazon recently lost control of the IP addresses it uses to host its cloud services and took more than three hours to regain control, allowing hackers to steal $235,000 in cryptocurrency from users of one of the affected customers.

Hackers gained control of approximately 256 IP addresses through BGP hijacking, a form of attack that exploits known weaknesses in the underlying Internet protocol. BGP, short for border gateway protocol, is a technical specification used by traffic-forwarding organizations known as autonomous system networks to work with other ASNs. Despite its important function in routing wholesale volumes of data around the world in real time, BGP still relies on the equivalent of word-of-mouth on the Internet for organizations to track which IP addresses rightfully belong to which ASNs.

A case of mistaken identity

Last month, 209,243 autonomous systems owned by UK-based network operators Quickhost.uk, suddenly started announcing that its infrastructure was the right way for other ASNs to access what is known as the /24 block of IP addresses owned by AS16509, one of at least three ASNs managed by Amazon. The hijacked block included the IP address 44.235.216.69, cbridge-prod2.celer.network hosting IP address, a subdomain responsible for serving the critical smart contract user interface for the Celer Bridge cryptocurrency exchange.

On August 17, attackers first used the exploit to obtain a TLS certificate for cbridge-prod2.celer.network, as they were able to demonstrate to the GoGetSSL certificate authority in Latvia that they controlled the subdomain. As the owner of the certificate, the thieves placed their own smart contract on the same domain and waited for visits from people trying to access the real Celer Bridge cbridge-prod2.celer.network page.

In total, the malicious deal withdrew a total of $234,866.65 from 32 accounts. this post From Coinbase’s threat intelligence team.

Coinbase TI analysis

Coinbase team members explained:

The phishing contract is very similar to the official Celer Bridge contract, mimicking many of its attributes. For any method not explicitly defined in the phishing contract, it implements a proxy structure that forwards calls to the legitimate Celer Bridge contract. The proxied contract is unique for each chain and is configured at startup. The following command displays the contents of the memory slot responsible for configuring the phishing contract proxy:

Phishing smart contract proxy memory
To enlarge / Phishing smart contract proxy memory

Coinbase TI analysis

A phishing contract steals users’ funds using two approaches:

  • Any tokens validated by phishing victims are flushed using a custom method with a 4-byte value of 0x9c307de6().
  • The phishing contract eliminates the following methods designed to instantly steal the victim’s tokens:
  • send()- used to steal tokens (e.g. USDC)
  • sendNative() — used to steal native assets (e.g. ETH)
  • addLiquidity()- used to steal tokens (e.g. USDC)
  • addNativeLiquidity() — used to steal native assets (e.g. ETH)

Below is an example of reverse engineering that redirects assets to an attacker’s wallet:

Phishing smart contract piece
To enlarge / Phishing smart contract piece

Coinbase TI analysis

Leave a Reply

Your email address will not be published.