Crypto Thieves Hijack Amazon's Route53 DNS

Weekly Axis Of Easy #47

In this issue:

  • DDoS-for-Hire Service operators arrested
  • Crypto thieves  hijack Amazon’s Route53 DNS
  • Drupalgeddon2 saga continues: 2nd patch released
  • Twitter sold data to same researcher behind Facebook scandal
  • Transcription service leaked medical records
  • Iranian LGBTQ activist wins defamation suit against Canadian
  • Canadian music industry seeks more money and content blocking

DDoS-for-Hire Service operators arrested

The world’s largest “DDoS-as-a-Service” operation,, has been seized by the US military Defence Criminal Investigative Unit after a joint operation headed by the UK’s National Crime Agency. The op was called “Power Off” and it took down the service which pretty well anybody to order DDoS attacks online against any target of their choosing. Six people were arrested in Serbia, Croatia, Scotland and Canada.

Crypto thieves hijack Amazon’s Route53 DNS

For a period of 2 hours last week an appreciable portion of crypto wallet MyEtherWallet’s traffic was directed to a fake site where many users were duped into logging in and getting their wallets subsequently drained. The attack was facilitated via a BGP hijack of MEW’s DNS service provider: Amazon Route 53. This is a big deal as BGP hijacks are, unfortunately, not hard to pull off and there are no magic bullets to prevent them. Mitigation has to happen after-the-fact by monitoring one’s route announcements closely (using a service such as BGPmon*, which we do) and signing your zones with DNSSEC.

Now that BGP-hijacks-for-profit are a thing, DNSSEC has just taken on a whole new relevance.  In this case, DNSSEC would have helped because many of the affected users were using Google’s Public DNS which picked up the fake DNS for MEW.  If the zone had been signed, then DNSSEC-aware resolvers (which Google’s and most of the major resolver services are), would not have responded with the spoofed DNS responses.

(DNSSEC functions are available in the control panel here. Coincidentally we’ve been working on a major upgrade here and we’re about a week or two away from go-live. It will include (among much more), automated DS record insertions. Right now that’s a manual process. )

*note: this only affects network providers who operate their own ASNs. If you don’t know what that is, you don’t need to worry about monitoring your route announcements, but your ISP or other infrastructure providers probably do. You do however, need think about DNSSEC for your mission critical zones.

Drupalgeddon2 saga continues: 2nd patch released

If you weren’t able to upgrade your Drupal sites when Drupalgeddon2 was first announced and simply patched, it looks like you have to patch again. Drupal developers released a follow-up patch that addresses the original CVE-2018-7600 vulnerability (dubbed “Drupalgeddon2”) as well as new vulnerability CVE-2018-7602. So far, three classes of exploits related to Drupalgeddon2 have been identified, including worms that spread malware for creating botnets and installing crypto-currency miners.

Twitter sold data to same researcher behind Facebook scandal

Looks like Twitter also sold data to a researcher at the centre of the Cambridge Analytica scandal that is dogging Facebook. The sale of data occurred in 2015, before the current scandal broke.

[ Plug: Get 6 months free web hosting when you add a new domain. Click here for more info ]

Transcription service leaked medical records

Via KrebsOnSecurity: “MEDantex, a Kansas-based company that provides medical transcription services for hospitals, clinics and private physicians, took down its customer Web portal last week after being notified by KrebsOnSecurity that it was leaking sensitive patient medical records — apparently for thousands of physicians.”

Iranian LGBTQ activist wins defamation suit against Canadian

Last week a Canadian judge ruled in favour of Iranian LGBTQ activist Shadi Amin in her defamation suit against a Canadian who operated a hitherto anonymous website attacking her. The defendant, rather than contesting that the material was defamatory instead tried to deny his involvement in the operation of the site. I was an expert witness for the plaintiff and we were able to show that the anonymous site was in all likelihood linked to another site known to be run by the defendant because of an under-the-hood WordPress config variable he probably wasn’t aware existed (X-Pingback-Url FTW).

Canadian music industry seeks more money and content blocking

The Canadian Music industry is asking the government to implement copyright reforms that include new levies on smartphones, ISP content blocking (and reporting back to music biz) and the ability to renegotiate existing deals it deems unfair. All this despite the fact that according to their own industry reports, business is good as Canadian digital revenue growth is exceeding global trends.


Leave a Reply

Your email address will not be published. Required fields are marked *