Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/3/2018
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

100,000-Plus Home Routers Hijacked in Campaign to Steal Banking Credentials

The GhostDNS campaign, which has been mainly targeting consumers in Brazil, has exploded in scope since August.

An unknown attacker has hijacked over 100,000 home routers and changed their DNS settings in a major campaign to steal login credentials from customers of several banks in Brazil.

Security vendor Radware first reported on the campaign in August. Since then, the campaign has exploded in scope from mostly targeting users of DLink DSL modem routers to targeting users of more than 70 different types of home routers.

In a report released Saturday, Chinese security vendor Qihoo 360's Netlab team said it recently observed a significant increase in attempts to break into routers with weak passwords. About 88% of the devices that have been targeted so far in what Netlab is calling the GhostDNS campaign are located in Brazil.

The attackers are attempting to install a version of a previously known DNS hijacking exploit called DNSChanger on the routers and change their default settings so traffic gets redirected to a rogue server.  

When users attempt to access certain banks, the rouge server takes them to a phishing server hosting phishing pages that are clones of the account login page of the corresponding bank. The rogue server currently hosts phishing pages for 52 domains belonging to banks, cloud service providers, Netflix, and one cybersecurity firm.

In situations where the attackers are unable to guess the router passwords, they have been using a previously known exploit known as dnscfg.cgi to remotely configure DNS server settings on the routers without authenticating into them first.

Unlike previous DNSChanger campaigns, GhostDNS involves the use of an additional three submodules, which Netlab is calling Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger (after their programming languages). Together, the modules have more than 100 scripts for changing settings on more than 70 routers.

The ShellDNSChanger module includes 25 Shell scripts for attacking 21 routers and firmware. It features a third-party tool to scan IPs in a selected range of network segments in Brazil and uses the router information that is collected to try and crack passwords on their Web authentication pages.

The Js DNSChanger module, written in JavaScript, contains scripts for attacking six routers/firmware.

The PyPhpDNSChanger is the main module, with attack scripts for 47 different routers/firmware. Netlab says it discovered the module deployed on more than 100 servers, scanning for and attacking target router IPs in Brazil.

"The GhostDNS system poses a real threat to [the] Internet," Netlab said in its advisory. "It is highly scaled, utilizes diverse attack [vectors, and] adopts automated attack process."

Pascal Geenens, a cybersecurity evangelist for Radware who wrote about the start of the campaign in August, says GhostDNS is another example of how attackers have begun exploiting vulnerable consumer Internet of Things (IoT) devices in different ways.

Previously, attackers have hijacked IoT devices to create botnets for launching distributed denial-of-service (DDoS) attacks or to mine for cryptocurrencies and provide anonymizing proxy services.

With GhostDNS, attackers have demonstrated how they can exploit consumer routers to steal information that can be used to break into bank accounts and carry out other fraud. What is especially troubling about the attack is that many users of the compromised routers — especially those on older browsers — will have no indication their traffic is being redirected to a malicious server, he says.

"I'm a little bit surprised," Geenen says about how much the DNS hijacking campaign in Brazil has evolved since August. "It's not that easy to make an exploit work across that many routers."

Configuration commands for each router can vary. In order to carry out a campaign such as GhostDNS, the attackers would have needed to find the commands for each of the targeted routers and developed scripts for changing them. Then they would have needed to test the scripts to see how well they worked.

For Internet users, campaigns such as GhostDNS are another reminder to keep IoT devices properly updated, Geenens says. "All the vulnerabilities that we have seen abused, whether it is for cryptomining or for DDoS, were vulnerabilities that were fixed," he explains.

Attackers have learned that a majority of consumers don't update their IoT devices promptly when patches for newly announced flaws become available. So it is not unusual to see adversaries attacking new vulnerabilities almost immediately after the flaws are disclosed, he says.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...