Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

'Drive-By Pharming' Now a Reality, Researchers Say

Theoretical exploit that allows attackers to hijack DNS servers and routers has been spotted in the wild, Symantec says

At first it was just an idea. Now it's a threat.

In a blog, Symantec today reported that it has spotted the first exploits using the "drive-by pharming" concept that researchers have been warning about for two years.

"With this sort of attack, all a victim would have to do to be susceptible is simply view the attacker’s malicious HTML or JavaScript code, which could be placed on a Web page or embedded in an email," Symantec says.

"The attacker’s malicious code could change the DNS server settings on the victim’s home broadband router (whether or not it’s a wireless router)," the company reports. "From then on, all future DNS requests would be resolved by the attacker’s DNS server, which means that the attacker effectively could control the victim’s Internet connection."

Drive-by pharming began as a concept described by researchers. Jeremiah Grossman, founder of CTO of Whitehat Security, gave a presentation about the exploit at the Black Hat conference in Las Vegas in August of 2006. Symantec subsequently blogged about the idea as well. (See JavaScript Malware Targets Intranets.)

But Symantec says that attackers now are putting that idea in action. The company's researchers have spotted a rudimentary drive-by pharming exploit on the Web, redirecting traffic from one of Mexico's most popular banks.

"Anyone who subsequently tried to go to this particular banking Website (one of the largest banks in Mexico) using the same computer would be directed to the attacker’s site instead," Symantec says. "Anyone who transacted with this rogue site would have their credentials stolen."

The "real" exploit is actually more dangerous than the original concept because it takes advantage of routers that don't require administrative passwords, Symantec says.

"In its original incarnation the drive-by pharming attack required the attacker to correctly guess the administrative password on the victim’s router," the company says. "Since most people never change this password or, for that matter, even know of its existence, this measure poses little or no impediment for the attacker. So, simply changing the default password to one that is difficult to guess would have sufficed in protecting you.

"In the case of these routers, that’s not true," Symantec says. "It turns out that on this particular router the attacker does not even need to try guessing the password."

In many other cases, users can protect themselves by resetting the router and using strong passwords, the company says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Panda Security

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    NSA Appoints Rob Joyce as Cyber Director
    Dark Reading Staff 1/15/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: Hunny, I looked every where for the dorritos. 
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-8567
    PUBLISHED: 2021-01-21
    Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
    CVE-2020-8568
    PUBLISHED: 2021-01-21
    Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
    CVE-2020-8569
    PUBLISHED: 2021-01-21
    Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
    CVE-2020-8570
    PUBLISHED: 2021-01-21
    Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
    CVE-2020-8554
    PUBLISHED: 2021-01-21
    Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...