Written by: Joseph Salazar, Technical Deception Engineer – Amazon Simple Storage Service (S3) provides the ability to store and serve static content from Amazon’s cloud. Businesses use S3 to store server backups, company documents, weblogs, and publicly visible content such as web site images and PDF downloads. Users organize files within S3 into “buckets,” which get assigned a URL based on a standard, predictable pattern for access to them.
Hackers used a man-in-the-middle attack to compromise an Amazon DNS server leading to about $152,000 in Ethereum cryptocurrency being stolen from MyEtherWallet.com customers when they were redirected to a phishing site where their wallet’s login credentials were stolen.
The incident began on Tuesday when cybercriminals used a border gateway protocol, a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems, rerouting traffic intended for Amazon’s Route 53 DNS service to a second server hosted by Equinix and then on to a server in Russia, according to reports from ESET’s Graham Cluley and a CloudFlare blog.
The IPs involved, 184.108.40.206/23, 220.127.116.11/23, 18.104.22.168/23 and 22.214.171.124/23, are all allocated to Amazon. CloudFlare said during the two-hours when malicious actors had control of the DNS server the IPs only responded to requests for myetherwallet.com and these requests were then sent along the chain to the Russian server where they were delivered to a phishing website where the victim’s wallet credentials were stolen leading to their Ethereum wallets being emptied.
Last week Dow Jones, the business and financial news company that owns the Wall Street Journal, admitted that 2.2 million customers’ details were exposed due to an Amazon S3 bucket misconfiguration. They are not alone and follow similar mishaps reported by Verizon, World Wrestling Entertainment, and Scottrade. They all share a common root problem, user error that resulted in exposing the contents of their S3 buckets. There are now over one million authenticated AWS users and S3 misconfigurations are becoming all too common.