October 24, 2014

300,000 home routers and modems hacked

network leds on routerNew research by Team Cymru’s Threat Intelligence Group has discovered that attackers have been changing the DNS settings on thousands of consumer level small office and home routers. By changing the DNS settings the attackers are able to redirect the victims DNS requests to any desired site and effectively conduct a Man-in-the-Middle attack.

The biggest risk is for those accessing financial sites. In this situation the compromised routers can redirect traffic to a fake websites and captures user’s login credentials. It would also be possible for the attackers to  inject their own adverts into web pages people visit or change  search results .

The team started its  investigation in January 2014 and to date it has  identified over 300,000 devices, mostly in Asia and Europe, that have been compromised. Once a device has been hacked the DNS settings are changed to 5.45.75.11 and 5.45.75.36. It seems that the majority of the affected routers are in Vietnam, however other affected countries include  India, Italy and Thailand.

“Many cyber crime participants have become used to purchasing bots, exploit servers, and other infrastructure as managed services from other criminals,” wrote the report authors. “We expect that these market forces will drive advances in the exploitation of embedded systems as they have done for the exploitation of PCs.”

Unfortunately more than one manufacturer’s router seem to be vulnerable to the attacks and the hackers are using multiple exploit techniques.  The research has not uncovered any new, or previously unknown vulnerabilities. Instead the report shows that the techniques and vulnerabilities observed have been in the public domain for well over a year.

The two DNS servers listed belong to a hosting company in south London. The BBC has contacted the company but has yet to receive a response. Team Cymru has contacted the relevant law enforcement agencies about the attack and informed the ISPs which have the bulk of the compromised customers.

 

Apple Releases iTunes 10.5.1 to Fix Man-in-the-middle Vulnerability

(LiveHacking.Com) – Apple has released iTunes 10.5.1 to fix a potentially dangerous man-in-the-middle vulnerability. According to the iTunes 10.5.1 security advisory a hacker using a man-in-the-middle attack could offer software to end users that appears to originate from Apple. This is course would be a way to infect a computer with malware. The vulnerability exists in iTunes for Windows and for OS X.

iTunes periodically checks for software updates using an HTTP request to Apple. This request may cause iTunes to indicate that an update is available. If Apple Software Update for Windows is not installed, clicking the Download iTunes button may open the URL from the HTTP response in the user’s default browser. This issue has been mitigated by using a secured connection when checking for available updates. For OS X systems, the user’s default browser is not used because Apple Software Update is included with OS X, however this change adds additional defense-in-depth.

The vulnerability was reported to Apple by Francisco Amato of Infobyte Security Research.

iTunes 10.5.1, which is available for Mac OS X v10.5 or later, Windows 7, Vista and XP SP2 or later also introduces iTunes Match. Announced earlier this year, this new service allows users to store their entire music library in iCloud, including music that has been imported from CDs.

 

Missing Dots in Email Addresses Allows Security Researchers to Catch 120,000 Messages

(LiveHacking.Com) – Security researchers have captured thousands of emails by buying domains for commonly mistyped email addresses. Over six months they grabbed 20GB of data made up of 120,000 wrongly sent messages. These emails included trade secrets, business invoices, personal information about employees, network diagrams and passwords.

According to researchers Peter Kim and Garret Gee of the Godai Group around 30% of the top 500 companies in the US were vulnerable to this data leak.

The problem arises because of the way some organisations set up their email systems. Most companies use a single domain for all email, but some use subdomains. So rather than just user@bank.com the company has set up us.bank.com for its USA employees and uk.bank.com for its UK employees and so on.

By buying domains like usbank.com and ukbank.com the researchers where able to catch emails addressed to user@us.bank.com but due to a typing error were sent to user@usbank.com (without the dot after ‘us’).

Rather than getting an email back reporting the mistyped address, the email in fact went to the researchers. From there the email was forwarded to the correct address but with a bogus reply address so that the researchers could capture all the replies as well. This is what is known as a man-in-the-middle attack, or more specifically for email a man-in-the-mailbox attack.

Writing on the blog of security firm Sophos, Mark Stockley said: “It’s striking that the researchers managed to capture so much information by focusing on just one common mistake. A determined attacker with a modest budget could easily afford to buy domains covering a vast range of organisations and typos.”