A DNS attack has apparently breached MyEtherWallet (MEW)-the most popular web-based, client-side Ethereum wallet.
This particular incident highlights the risks that come with reliance on a central interface, even when individuals are holding the funds. This subsequently uncovers the faults of the Domain Name System.
The incident was initially identified by MyEtherWallet users when they began noticing something unusual. When linking to this service, users encountered an unsigned certificate (SSL), a broken link in the verification of the site.
Although it came off as odd, it is nonetheless the common incidents where web users habitually click through without a second thought. When the users clicked on this particular certificate warning, they were consequently redirected to a Russia-based server which went on to empty the wallet of the user.
Looking at the entire wallet activity, the alleged attackers seem to have made away with Ethereum valued at about $13,000 over the two hours just before this attack was eventually shut down.
The wallet of these alleged attackers apparently contains Ethereum worth over $17 million. This goes to indicate that the individuals who were responsible for this hacking expedition had a lot of funds even before they went on to perform the attack on MyEtherWallet.
MyEtherWallet and Amazon Web Services Respond
MyEtherWallet confirmed this incident in a tweet stating that they are in the process of ascertaining the precise servers that were targeted by the attack to assist in resolving the concern as fast as possible.
In a more detailed statement released on Reddit, the company also went further to advise the users to ensure that they run an offline (local) version of the MyEtherWallet.
On closer analysis, the attack does not seem to have breached the MyEtherWallet itself. Instead, the hackers seem to have targeted the web traffic infrastructure, subsequently intercepting all myetherwallet.com DNS requests, to make it look like the Russian server was the correct owner of this address.
Many of the users who were affected by the attack were using the 126.96.36.199 DNS from Google. Nonetheless, because of the recursive nature of Google’s service, the bad listing may have likely been acquired via counterfeit communication with the “Route 53” Amazon system.
A representative of Amazon Web Services stated that the attack did not in any way compromise their DNS system. According to the statement, the Route 53 and the distinct AWS were not compromised or hacked. Furthermore, they added that an upstream ISP (Internet Service Pz`rovider) was breached by an attacker who subsequently utilized this provider to declare a Route 53 IP addresses subset to other networks with whom the named Internet Service Provider peered.
The Hacking Technique: BGP Hijacking
To intercept the DNS requests, the attackers employed a distinct technique called BGP hijacking. According to a detailed analysis from Ameet Naik of ThousandEyes Inc., this technique usually dispatches altered routing information as a means of diverting traffic in transit.
Naturally, to pull off this kind of attack, the hacker needs to hack into an ISP-operated BGP server or any other providers of internet infrastructure. In this particular instance, the intercept happened within the vicinity of an internet exchange in Chicago, Illinois.
However, the leading cause of the entire compromise remains unidentified.
According to a blog post written by Kevin Beaumont, a cybersecurity researcher, it is quite an unusual scenario for both DNS and BGP vulnerabilities to harmoniously be used primarily in a theft of this magnitude. For him, this case underlines the prevalent fragility of internet security.
Until now, the only service to have confirmed the attack is MyEtherWallet. This is despite reports and speculations that several other services might have been victims of the redirect.
The thoughts arise from the fact there is no valid reason explaining the little return when compared to the complexity of performing this attack and the resources utilized.