Advisory Overview
Threat actors have been changing settings on home and small-business routers manufactured by D-Link in order to re-route users to malicious websites. The changes are made after a user loads a website that contains a “poisoned” advertisement – an ad that has been crafted to run scripting and other non-advertisement code. This ad determines what router the user has and attempts to log in as an administrator using the router’s default username and password. Once the router is compromised, users will be re-directed to fake websites for streaming services, financial websites, and other sites on the web when they attempt to reach the legitimate website through a technique known as DNS takeover. These websites can be used to steal user credentials and/or to distribute additional malware. While the attack has only been seen in Brazil so far, the routers being attacked are also very popular in the United States and other countries. Limiting access and using strong passwords for router administrative login, along with keeping the routers updated, can all help prevent this attack.
Technical detail and additional information
What is the threat?
More than 180,000 routers in Brazil have had their DNS settings compromised. Threat actors have been able to infect thousands of home routers in Brazil by modifying DNS settings. Most of these routers have been comprised when users visit streaming sites and adult portals. Specially-crafted dynamic advertisements are run on these sites (usually without the knowledge or consent of the site owner) and first scan to determine the vendor, model, and firmware of the user’s router; then engage the attack scripting if a susceptible router is found. The attack scripting then utilize a list of default usernames and passwords to try and log into the user’s router, thus allowing for DNS modification to occur once the attack script successfully finds a username/password combination that works. As the DNS settings change them to malicious DNS servers, users attempting to visit legitimate banking, shopping, and other services websites get re-directed to malicious versions of these websites to trick users into providing login credentials and other sensitive information to the threat actors. They can also distribute additional malware.
Why is this noteworthy?
While the attacks have only been seen in Brazil so far, D-Link routers are popular with ISP’s and users throughout the world. This form of attack can also easily be altered to target other brands and models of routers without significant skill on the part of the threat actor, so morphing is a high probability. Besides being able to redirect users to phishing pages, threat actors have been able to replace legitimate advertisements with adverts they have created to generate revenue for themselves, making this a valuable attack method even when the threat actor has no intention of stealing credentials or information. It is important for users and ISPs to take proper precautions and secure their devices as this attack can soon spread to their respective country.
What is the exposure or risk?
Users can have their DNS settings compromised without even realizing it has happened. Once successful DNS modification occurs on a user’s router. Threat actors can change the DNS server IP address that are received from ISPs with addresses that are instead managed by the attacker. The next time a user’s smartphone or computer connects to a compromised router it will allow the threat actor to potentially funnel all DNS requests through that attacker’s own servers allowing them to hijack and redirect traffic to malicious websites that are used for phishing purposes. Aside from the specific websites that the threat actor sets up for re-direction, all other traffic routes normally. This means that there may be no visible indication of the compromise unless a user notices differences in a limited number of web pages – an unlikely scenario as the attack pages are typically indistinguishable from the legitimate pages.
What are the recommendations?
As this attack has not yet spread to many countries it is important to take precautions now to prevent it from being successful as the attack spreads or threat actors begin using indiscriminate bot nets to attack a wider audience. To prevent this form of attack from modifying DNS settings it is recommended users and ISP’s do the following:
· Use complex router administration passwords, and never use/always change the default usernames and passwords from the router vendor.
· Update the router’s firmware to the latest version – while firmware doesn’t play a direct role in this attack, updating will avoid many other known vulnerabilities.
· Use custom DNS settings on devices, which prevents the device OS from requesting tainted DNS settings from the local router. While end-users may have difficulty performing this task, ISP’s and company IT management should implement this workaround to protect their organization’s endpoints.
References:
For more in-depth information about the recommendations, please visit the following link:
https://www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack/
Router Exploit Kits: An overview of RouterCSRF attacks and DNS hijacking in Brazil
https://riotimesonline.com/brazil-news/brazil/attack-steals-bank-passwords-by-hijacking-180000-internet-routers-in-brazil/
If you have any questions, please contact our Security Operations Center.