Routers on fire: hackers rush change DNS settings

A large-scale “pharming” campaign targeting home routers took place in South America, the latest in a trend Kaspersky Lab’s experts have been monitoring for awhile. Home routers are frequently used by smaller businesses, which may also fall victim to this series of attacks that is reportedly pretty large.

Attackers sent a number of phishing emails to the users of a certain large telco in Brazil, warning them of a past-due account and providing them a link supposedly to a portal where they could resolve the issue. Instead, the websites hosted code that carried out a cross-site request forgery attack against vulnerabilities in home UTStarcom and TP-Link routers distributed by the telco.

The pages contained iframes with JavaScript exploiting the CSRF vulnerabilities if present on the routers. They also tried to brute force the admin page for the router using known default username-password combinations. Once (and if) the attackers had gained access to the router, they were able to change the primary DNS setting to the attacker-controlled site, and the secondary setting to Google’s public DNS.

This would allow them to sweep all traffic passing through – clearly gaining new and exciting financial opportunities at the poor victims’ expense.

There is an additional problem: Any router secured with default credentials is susceptible to this attack and a plethora of others. Researchers who discovered – and reported – this campaign said that setting an (always) functioning DNS server as the secondary decreases the chance that the users will notice something is wrong. In fact, even if the malicious DNS is down for some reason, the ISP customers will still be able to access the internet: all their DNS requests will go through the Google’s public DNS.

This calls to mind the much-dreaded DNSChanger Trojan: Its operators used the malware to alter home routers settings so that all DNS requests passed through their servers. Users were “served” aggressively with advertisements, including those of an adult nature, and all of the PCs connected to the infected routers had banners on their screens.

Eventually, the FBI seized DNSChanger servers and then had to maintain their operation while an extensive information campaign was held to tell users about how to get rid of DNSChanger and regain normal DNS forwarding. Otherwise, users would have lost their access to the Web.

Not this time, for weal or for woe: the Web access would remain even if the malware’s DNS servers are down. But the victims won’t know they’re targeted until their money is leeched.

Routers had been targeted by cybercriminals many times before and will most likely be again and again. Hacks like these have been a growing nuisance in the last 12 to 18 months, with more white hat researchers looking into the breadth and severity of the issue. Some cases, such as the Misfortune Cookie vulnerability in a popular embedded webserver called RomPager, have put 12 million devices, including home routers, at risk of attack. Last summer, during DEF CON, a hacking contest called SOHOpelessly Broken focused on router vulnerabilities, and yielded 15 zero-day vulnerabilities that were reported to vendors and patched.

There are many reasons for criminals taking on routers more often:

1. Home routers are among the most overlooked, “fire-and-forget” part of the network: set up once, they are seldom checked and are usually low on the list if something goes wrong
2. People apply weak passwords and keeping the factory login-password pairs isn’t uncommon. Setting complex passwords different from the defaults or the likes of “admin/1234″ is often neglected.
3. Home routers are used by small businesses too, which means hackers occasionally have a chance of a formidable profit, if the right victim is chosen.

Routers’ firmware requires timely patching just like any other software; it’s as important to protect endpoints from malware and phishing attempts frequently followed after the router breach. Kaspersky Small Office Security can be very useful here: aside from protecting PCs from the malware and cyberattacks, it is also capable of handling attempts of illicit redirection.

To learn more about Kaspersky Small Office Security and to download the trial version, please visit here.

Getting back to the “pharming” campaign, Kaspersky researcher Fabio Assolini, who lives in Brazil, said he’s seeing an average of four new such attacks daily, and that is not a small operation.