New research by Team Cymru’s Threat Intelligence Group has discovered that attackers have been changing the DNS settings on thousands of consumer level small office and home routers. By changing the DNS settings the attackers are able to redirect the victims DNS requests to any desired site and effectively conduct a Man-in-the-Middle attack.
The biggest risk is for those accessing financial sites. In this situation the compromised routers can redirect traffic to a fake websites and captures user’s login credentials. It would also be possible for the attackers to inject their own adverts into web pages people visit or change search results .
The team started its investigation in January 2014 and to date it has identified over 300,000 devices, mostly in Asia and Europe, that have been compromised. Once a device has been hacked the DNS settings are changed to 220.127.116.11 and 18.104.22.168. It seems that the majority of the affected routers are in Vietnam, however other affected countries include India, Italy and Thailand.
“Many cyber crime participants have become used to purchasing bots, exploit servers, and other infrastructure as managed services from other criminals,” wrote the report authors. “We expect that these market forces will drive advances in the exploitation of embedded systems as they have done for the exploitation of PCs.”
Unfortunately more than one manufacturer’s router seem to be vulnerable to the attacks and the hackers are using multiple exploit techniques. The research has not uncovered any new, or previously unknown vulnerabilities. Instead the report shows that the techniques and vulnerabilities observed have been in the public domain for well over a year.
The two DNS servers listed belong to a hosting company in south London. The BBC has contacted the company but has yet to receive a response. Team Cymru has contacted the relevant law enforcement agencies about the attack and informed the ISPs which have the bulk of the compromised customers.