July 30, 2014

300,000 home routers and modems hacked

network leds on routerNew research by Team Cymru’s Threat Intelligence Group has discovered that attackers have been changing the DNS settings on thousands of consumer level small office and home routers. By changing the DNS settings the attackers are able to redirect the victims DNS requests to any desired site and effectively conduct a Man-in-the-Middle attack.

The biggest risk is for those accessing financial sites. In this situation the compromised routers can redirect traffic to a fake websites and captures user’s login credentials. It would also be possible for the attackers to  inject their own adverts into web pages people visit or change  search results .

The team started its  investigation in January 2014 and to date it has  identified over 300,000 devices, mostly in Asia and Europe, that have been compromised. Once a device has been hacked the DNS settings are changed to 5.45.75.11 and 5.45.75.36. It seems that the majority of the affected routers are in Vietnam, however other affected countries include  India, Italy and Thailand.

“Many cyber crime participants have become used to purchasing bots, exploit servers, and other infrastructure as managed services from other criminals,” wrote the report authors. “We expect that these market forces will drive advances in the exploitation of embedded systems as they have done for the exploitation of PCs.”

Unfortunately more than one manufacturer’s router seem to be vulnerable to the attacks and the hackers are using multiple exploit techniques.  The research has not uncovered any new, or previously unknown vulnerabilities. Instead the report shows that the techniques and vulnerabilities observed have been in the public domain for well over a year.

The two DNS servers listed belong to a hosting company in south London. The BBC has contacted the company but has yet to receive a response. Team Cymru has contacted the relevant law enforcement agencies about the attack and informed the ISPs which have the bulk of the compromised customers.

 

DNS Attack Targets Popular Websites: Daily Telegraph, The Register, UPS, Acer and Others

(LiveHacking.Com) - Several popular web sites including The Register, The Daily Telegraph, UPS.com and Acer.com suffered a DNS attack on Sunday evening that has resulted in visitors being redirected to third-party webpages.

Paul Mutton, a web security tester and tech author, got a screenshot of what visitors to The Register saw:

Other websites which have been affected by the DNS hack include National Geographic, BetFair and Vodafone. With a DNS attack, the websites themselves are not hacked, but rather the hacker attacks the DNS infrastructure and diverts web traffic to a different site.

The hacked sites share a common registrar, Ascio Technologies, and were registered through NetNames. Both NetNames and Ascio are brands of GroupNBT. Zone-h suggests: “It appears that the turk­ish attack­ers man­aged to hack into the DNS panel of Net­Names using a SQL injec­tion and mod­ify the con­fig­u­ra­tion of arbi­trary sites, to use their own DNS.”

Tim Anderson reminds us that “this kind of attack is more serious than simply hacking into a web server and defacing the content” as with DNS attacks the hacker can intercept not only web requests for the affected names, but also email.

Now, on Monday morning, it looks as if most (if not all) of the targeted sites are using the correct DNS settings.