Currently, owners of routers within the borders of Brazil are experiencing a sustained attack on their home routers. For nearly a year now routers based in Brazil have been targeted with a new type of router attack, which according to researchers at multiple security firms has not been seen anywhere else in the world. If the attack spreads to routers in other countries this will mean Brazil is ground zero for this new kind of attack and a single Brazilian router may hold the infamous and unwanted title of patient zero. Often routers are targeted for the creation of botnets, such as Mirai or other DNS (Domain Name Server) attacks. This latest attack shares many similar traits with other DNS attacks but differs in some significant ways. A DNS attack can be defined as an attack which looks to take advantage of certain vulnerabilities arising from the DNS system. These include DNS spoofing or Cache Poisoning, when the attacker corrupts a DSN server by replacing a legitimate IP address in the server’s cache with that of another, rogue address in order to redirect traffic to a malicious website, collect information or initiate another attack; and Denial of Service attacks which involve an attack in which a malicious bot sends send more traffic to a targeted IP address than what it was designed to handle resulting in downtime.
As was mentioned above the attack which for the time being is confined to Brazil started last year and was first observed by researchers at Radware and later verified by researchers at NetLab, a division of Chinese security firm Qihoo 360. At the time both firms noted that the hackers behind the attack were had infected over 100,000 home routers in Brazil and were modifying their DNS settings. The compromised routers were then used to redirect users to clone websites of some of Brazil’s popular banks, hoping that users would then enter in login credentials to those banks thus granting the hackers’ access to user’s online banking portals. In April of 2019, according to an article published by Bad Packets, a newer campaign began specifically targeting D-Link routers. As well as looking to target a specific brand of router hackers were also redirecting users to phishing pages for Netflix, Google, and PayPal, to collect their credentials according to an article published by security firm Ixia.
This was not the end for owners of routers. In a new report published by Avast, the attacks have not stopped and according to the company, hackers have infected and modified the DNS settings of over 180,000 Brazilian routers. This number is for the first half of 2019 and numbers are expected to rise significantly. Adding to the significant number of compromised routers, the complexity of the attacks has increased, and the number of actors involved in the attacks appears to have gone up as well. Those behind the attacks are also continually adopting better tools in an attempt to infect more routers. Users initially have their routers hacked while they are visiting popular sports and media streaming websites, hackers further also target those visiting adult content sites. Once on the site code is run via malicious ads while the user is watching streamed content. The malicious code is run in the browser and can detect the IP address of a home router and the router's model. When they detect the router's IP and model, the malicious ads then use a list of default usernames and passwords to log into users' devices, without their knowledge.
Advanced Tool Kit
If this initial attack is successful the malicious ads will then relay more malicious code via the browser. This time the code will modify the default DNS settings on the victims' routers, replacing the DNS server IP addresses routers receive from the upstream ISPs with the IP addresses of DNS servers managed by the hackers. The next time the user connects through the router it will receive the malicious DNS server IP addresses. This allows the hackers to funnel it will receive the malicious DNS server IP addresses. To complete this nefarious task successfully the attackers have used an advanced set of tools to get the job done. These tools, or exploit kits, are GhostDNS, Navidade, and SonarDNS. According to Avast GhostDNS and a newer variant called Navidade,
“is very popular in the Brazilian underground hacking scene and some of its variants belong to the most active exploit kits targeting Brazilian routers in 2019. The GhostDNS variant Novidade attempted to infect Avast users’ routers over 2.6 million times in February alone and was spread via three campaigns. According to Netlab360, GhostDNS consists of a complex system with a phishing web system, web admin system, and rogue DNS system.”