Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/14/2014
05:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Traffic To Hosting Companies Hijacked In Crypto Currency Heist

Attacker likely a current or former ISP employee, researchers say.

A crypto currency thief hijacked traffic that was meant for large hosting companies including Amazon, Digital Ocean, OVH, and others earlier this year in a heist that earned him some $83,000 in profits in more than four months, researchers revealed last week.

Researchers with Dell SecureWorks Counter Threat Unit published the new research on the attacks in conjunction with the Black Hat USA show in Las Vegas. Dell SecureWorks says some 51 networks were compromised from 19 Internet service providers as the thief redirected crypto currency miners to his own mining pool and stole their profits -- to the tune of $9,000 per day. The crypto currency hijack also interrupted network traffic for other users in the netblocks he targeted, the researchers say, but the attacker was mainly interested in the miners.

"They were man-in-the-middle hijacking crypto currency. I found my [account] was hijacked, too," says Joe Stewart, director of malware research for Dell SecureWorks. When Stewart first heard of the crypto currency theft, he figured the attacker had hijacked Border Gateway Protocol (BGP) routes and redirected their mining to the rogue systems. The Internet's BGP routing protocol basically connects networks on the Internet.

It turns out Stewart was correct: The attacker had blasted phony BGP broadcasts that redirected the victims' crypto currency traffic to his server. "He only hijacked it for brief periods where he was able to capture and trap a large section of miners," Stewart says, so the hijack was not necessarily noticeable.

The attacker was successful in part because crypto currency miners employ a protocol called Stratum that has little or no security. "They're not using HTTPS, so any mining pool can send or reconnect to send to a different IP. [The protocol] trusts that they are talking to the real server."

It was that inherent trust that the hijacker capitalized on. But Stewart says the culprit also needed the administrative rights to pull off the BGP spoof, so it was likely an employee or former employee of an ISP. "Or a hacker hacked a router."

The researchers ultimately traced the malicious BGP announcements to a single router at an ISP in Canada. "We reported it to the ISP, and gave them large logs." The activity ultimately came to a halt, he says, and the ISP didn't provide any additional information on its resolution.

Dell SecureWorks' Pat Litke, who worked with Stewart on investigating the theft, says at the heart of the problem is the ISP not having proper oversight of its offending employee or former employee.

But even more unsettling was how the attacker was able to temporarily commandeer all of those IP addresses. The affected hosting providers "have a huge range of IP addresses," says Litke. "The addresses being hijacked were fairly negligible. It didn't impact them… They weren't losing money, and their customers didn't notice."

The only noticeable glitch would be that users wouldn't be able to ping a server, but that would have been seen as a temporary network problem. "Only the miners got trapped for a longer period of time," Stewart says. "We didn't see any big website hijacked in that."

It was when miners started talking online in a Bitcoin forum about lost funds that it become obvious something had gone awry. On March 22, a user named "caution" noted sketchy activity in the wafflepool.com mining pool. Other miners chimed in with similar observations of their mining systems being redirected to an IP address they didn't recognize, and ultimately, their loss of funds.

According to Dell SecureWorks, some $2.6 million in crypto currency mining occurs daily. The researchers suggest that ISPs use the Resource Public Key Infrastructure service, and miners use a Secure Sockets Layer (SSL) client to encrypt their traffic. "Miners should also implement server certificate validation. This validation ensures that the certificate the pool server sends when establishing the connection is valid and authorized for use with the connected domain, even if the domain's IP address changes," the researchers wrote in their report about the attacks.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/15/2014 | 9:33:10 AM
Re: Awesome
Crytpo currency mining is fraught with security risk. So I suppose the heist was not surprising given the lack of security inherent in mining. But spoofing BGP was a pretty interesting way to pull it off, for sure.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
8/15/2014 | 7:33:20 AM
Awesome
It is the demonstration of the capabilities of cybercrime ecosystem. This hack is very interesting, the crocks are also exploring with interest the opportunity offered by virtual currencies.

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...