Leveraging BGP to Steal Cryptocurrency

Tuesday, August 12, 2014 @ 04:08 PM gHale

Over four months, bad guys were able to rip off tens of thousands of dollars by redirecting the connections of cryptocurrency miners to mining pools they control, researchers said.

While it is not manufacturing automation-related news, it is interesting the attackers compromised 51 pools at 19 hosting companies, including Amazon, Digital Ocean, OVH, ServerStack, EGIHosting, Choopa, LeaseWeb and B2 Net Solutions, said researchers at Dell SecureWorks’ Counter Threat Unit (CTU).

Breaking Down a Costly Hack Attack
Attackers Exploit Privileged Accounts
Highway Sign Fix: Change Default Password
SCADA Hack Uncovered
Utility Attacked

The attacks used the Border Gateway Protocol (BGP), an external routing protocol that connects networks on the Web. BGP prevents malicious networks from hijacking traffic because users need to configure both ends of networks linked via this protocol manually in order to communicate properly.

Bad guys used bogus BGP broadcasts to redirect traffic to their own server, Dell said. Under normal circumstances, cryptocurrency miners connect to pool servers from which they receive instructions and rewards. However, by using bogus BGP announcements, the attackers managed to direct the miners’ traffic to their own pools. The redirected miners continue to receive instructions and carry on their tasks, but no longer receive rewards.

Members of cryptocurrency forums first reported seeing malicious activity March 22, but Dell researchers found the attacks started as early as February 3.

By looking at some of the cryptocurrency addresses associated with the hijacker, Dell determined between February and late May the cybercriminals had managed to make a profit of $83,000 in Bitcoin, Dogecoin, HoboNickels, and Worldcoin. Researchers said the bad guys targeted other currencies as well.

Experts traced the attack to a single router hosted by an ISP in Canada. An upstream ISP is aware of the operation and disrupted it, but the company hasn’t provided Dell with any details regarding the source of the malicious activity. Researchers believe this could have been the work of an individual working for the ISP, or a former employee who still has access to the company’s systems. The third possibility is a malicious hacker somehow managed to compromise the router to which the BGP announcements ended up traced.

There are several mitigations that can prevent such attacks.

ISPs can use the Resource Public Key Infrastructure (RPKI) service, which enables them to choose which of their IP address prefixes can originate from specified autonomous systems (AS). On the other hand, the administrators of pool servers can require miners to use the Secure Socket Layer (SSL) protocol and server certificate validation.

“BGP peering requires that both networks be manually configured and aware of one another. Requiring human interaction for proper configuration makes BGP peering reasonably secure, as ISPs will not peer with anyone without a legitimate reason,” said Pat Litke and Joe Stewart of the Dell SecureWorks Counter Threat Unit in a blog post. “These hijacks and miner redirections would not have been possible without peer-to-broadcast routes. Although BGP hijacking is possible, the overall threat is minimal.”

Leave a Reply

You must be logged in to post a comment.