MEW Hack, A Postmortem

Today the crypto space and the Ethereum Community specifically were affected by a particularly significant hack targeting the popular MyEtherWallet website. Regarded as one of the most trusted and secure services and widely used by thousand of people daily to store, access and transact their ETH and ERC20 tokens, MEW is a valuable resource to the Ethereum community.

Initial reports of missing funds started to circulate on reddit and twitter at about 11 A.M. GMT and it quickly became apparent that some kind of attack was underway.

Reports by users who fell victim to the attack quickly began to paint a common picture and highlight similar inconsistencies and telltale signs that they were not using the legitimate website. For example, an invalid SSL certificate being presented when connecting and an A-record pointing to a Russian IP not associated with the Cloudfront servers normally used by MEW.

sear.jpg

As I was made aware of the hack I started to dig deeper, trying to glean additional info  on the methodology used to alter the A DNS records.

I hopped onto a VM and tried to purposefully get served the malicious website,and while I wasn’t able to get any additional info I could confirm it was a clone of MEW using a self-signed SSL certificate.

cert.png

While the attack was underway, the crypto community lost its collective mind and started to throw wild speculations and accusations, blaming the compromise on the security posture of MEW, Google DNS and other unlikely culprits.

Initially I also thought this was in all likelihood a simple DNS hijacking hack affecting some ISP with lax security practices who didn’t properly secure their infrastructure, but as time passed and the situation became more clear, I noticed something very weird was happening. There were several reports floating around the internet of people experiencing problems with Amazon Route53 DNS servers.

download.jpg

This was a peculiar coincidence since MEW is using – surprise surprise – Amazon Route53 as their DNS provider.

At this point I started to suspect this could be an attack leveraging the BGP protocol to reroute DNS traffic.

By this time the issue was starting to appear on tech blogs and the crypto community was in a notable state of turmoil.

After about 2 hours since the security incident was initially reported the DNS records for myetherwallet.com were again pointing to the legitimate Cloudfront resources used to deliver the website.

A few sources in the InfoSec world quickly zeroed in on the issue.

Distinguished InfoSec community member and Security Researcher Kevin Beaumont quickly penned a Blog post confirming what I suspected: the funds were siphoned from unsuspecting users interacting with a malicious version of the MEW website. This was thanks to a well orchestrated BGP hack used to intercept DNS traffic directed to Amazon Route53 service. The method used was a man in the middle attack carried out by a server at the peering and internet exchange center Equinix in Chicago.

For good measure I Googled the Russian ISP where the malicious mew clone was hosted -sure enough they’re an interesting bunch to say the least, a classic bulletproof hosting operation. It appeared that they specialized in hosting C2 servers for various botnets and malware, as well as also dedicating to the occasional hijacking of IP address space belonging to various organizations by falsely adverting it as their own using BGP.

This hack is somewhat reminiscent of another hack leveraging known security vulnerabilities in the BGP protocol that hit the headlines some time ago targeting the cryptocurrency sector.

I’m inclined to think this hack was perpetrated by highly skilled individuals with significant amounts of resources at their disposal, judging by their modus operandi and by how they were able to pull this off so cleanly.

It’s still too early to tell if MEW was the only service affected. Since the hack proved to be quite complex and required a significant amount of time, planning, and resources to execute, I think as time passes the number of victims could grow. It’s fair to think that the main target was another entity entirely, with MEW just being a secondary objective in the way.

As always the cryptocurrency sector is a prime target for bad actors since the economic incentives to successfully conduct an attack are significant. Be vigilant.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s