Attacks/Breaches

10/3/2018
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

100,000-Plus Home Routers Hijacked in Campaign to Steal Banking Credentials

The GhostDNS campaign, which has been mainly targeting consumers in Brazil, has exploded in scope since August.

An unknown attacker has hijacked over 100,000 home routers and changed their DNS settings in a major campaign to steal login credentials from customers of several banks in Brazil.

Security vendor Radware first reported on the campaign in August. Since then, the campaign has exploded in scope from mostly targeting users of DLink DSL modem routers to targeting users of more than 70 different types of home routers.

In a report released Saturday, Chinese security vendor Qihoo 360's Netlab team said it recently observed a significant increase in attempts to break into routers with weak passwords. About 88% of the devices that have been targeted so far in what Netlab is calling the GhostDNS campaign are located in Brazil.

The attackers are attempting to install a version of a previously known DNS hijacking exploit called DNSChanger on the routers and change their default settings so traffic gets redirected to a rogue server.  

When users attempt to access certain banks, the rouge server takes them to a phishing server hosting phishing pages that are clones of the account login page of the corresponding bank. The rogue server currently hosts phishing pages for 52 domains belonging to banks, cloud service providers, Netflix, and one cybersecurity firm.

In situations where the attackers are unable to guess the router passwords, they have been using a previously known exploit known as dnscfg.cgi to remotely configure DNS server settings on the routers without authenticating into them first.

Unlike previous DNSChanger campaigns, GhostDNS involves the use of an additional three submodules, which Netlab is calling Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger (after their programming languages). Together, the modules have more than 100 scripts for changing settings on more than 70 routers.

The ShellDNSChanger module includes 25 Shell scripts for attacking 21 routers and firmware. It features a third-party tool to scan IPs in a selected range of network segments in Brazil and uses the router information that is collected to try and crack passwords on their Web authentication pages.

The Js DNSChanger module, written in JavaScript, contains scripts for attacking six routers/firmware.

The PyPhpDNSChanger is the main module, with attack scripts for 47 different routers/firmware. Netlab says it discovered the module deployed on more than 100 servers, scanning for and attacking target router IPs in Brazil.

"The GhostDNS system poses a real threat to [the] Internet," Netlab said in its advisory. "It is highly scaled, utilizes diverse attack [vectors, and] adopts automated attack process."

Pascal Geenens, a cybersecurity evangelist for Radware who wrote about the start of the campaign in August, says GhostDNS is another example of how attackers have begun exploiting vulnerable consumer Internet of Things (IoT) devices in different ways.

Previously, attackers have hijacked IoT devices to create botnets for launching distributed denial-of-service (DDoS) attacks or to mine for cryptocurrencies and provide anonymizing proxy services.

With GhostDNS, attackers have demonstrated how they can exploit consumer routers to steal information that can be used to break into bank accounts and carry out other fraud. What is especially troubling about the attack is that many users of the compromised routers — especially those on older browsers — will have no indication their traffic is being redirected to a malicious server, he says.

"I'm a little bit surprised," Geenen says about how much the DNS hijacking campaign in Brazil has evolved since August. "It's not that easy to make an exploit work across that many routers."

Configuration commands for each router can vary. In order to carry out a campaign such as GhostDNS, the attackers would have needed to find the commands for each of the targeted routers and developed scripts for changing them. Then they would have needed to test the scripts to see how well they worked.

For Internet users, campaigns such as GhostDNS are another reminder to keep IoT devices properly updated, Geenens says. "All the vulnerabilities that we have seen abused, whether it is for cryptomining or for DDoS, were vulnerabilities that were fixed," he explains.

Attackers have learned that a majority of consumers don't update their IoT devices promptly when patches for newly announced flaws become available. So it is not unusual to see adversaries attacking new vulnerabilities almost immediately after the flaws are disclosed, he says.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11358
PUBLISHED: 2019-04-20
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2019-11359
PUBLISHED: 2019-04-20
Cross-site scripting (XSS) vulnerability in display.php in I, Librarian 4.10 allows remote attackers to inject arbitrary web script or HTML via the project parameter.
CVE-2018-20817
PUBLISHED: 2019-04-19
SV_SteamAuthClient in various Activision Infinity Ward Call of Duty games before 2015-08-11 is missing a size check when reading authBlob data into a buffer, which allows one to execute code on the remote target machine when sending a steam authentication request. This affects Call of Duty: Modern W...
CVE-2019-11354
PUBLISHED: 2019-04-19
The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices ...
CVE-2019-11350
PUBLISHED: 2019-04-19
CloudBees Jenkins Operations Center 2.150.2.3, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page.