Security Week 15: attack on routers with DNS spoofing

    The theme of vulnerabilities in network routers we look far not the first time, but the research group Bad Packets and company Ixia ( news , report Bad Packets, report Ixia) are interesting because they represent an almost complete picture of how breaking routers, what settings are changing, and that then happens.

    Such attacks do not have any technically complex elements, and the goal of the attackers is simple - to earn money from advertising and, if possible, steal passwords for access to banking systems and paid Internet services. In short: the attackers scanned the network to look for vulnerable routers (mostly new D-Link models). Having discovered such a router, they changed DNS records in it, redirecting traffic to their own servers. In this case, trivial vulnerabilities were used, access to settings for unpatched devices occurred without authorization. The oldest devices on the target list are more than 10 years old, but despite this, theoretically, cybercriminals could attack more than 15 thousand victims.

    Bad Packets experts recorded three attacks with common signs at the end of December last year, as well as in February and the end of March 2019. In all cases, the Google Cloud Platform service was used for the first stage of the attack: a virtual server was created that made “ringing” of network devices.


    The scan was aimed at finding devices with known vulnerabilities, mainly these were not the most modern routers produced by D-Link. Later, using the BinaryEdge service , which collects information about the parameters of network devices, it was possible to estimate how many devices were, in principle, vulnerable to such an attack. Out of a dozen models that were precisely attacked during this campaign, only one was recorded several thousand "hits".


    This is the D-Link DSL-2640B ADSL Router . One-megabit Ethernet, support for WiFi 802.11g - in general, not bad for a model that has been available since 2007. Other models (for example, D-Link 2740R, 526B and others, only about a dozen versions), if they were beneficial to attackers, then on a small scale - there are only a few hundred of such devices on the network.

    In 2012, the 2640B model was discovered a vulnerability traditional for network devices : if you force a user logged into the router’s web interface to click on a prepared link, you can gain control over the device. And in 2017, a more serious problem was discovered in the same router: it turned out that it is possible to replace DNS server records without authorization. Naturally, if the web interface of the router is accessible from the outside, which should not happen under normal conditions.


    The consequences of DNS server spoofing are obvious: attackers can replace banner ads with their own, show users fake sites at the “correct” address, and attack directly computers connected to the router using malware.


    What exactly happens with the attacked router, Ixia found out. It was done like this: on a test system, a malicious server was installed as a DNS server, then a list of 10 thousand domain names of the most popular sites was run (according to the version of the Alexa service). It was necessary to find out for which domains the fake DNS server was trying to take victims to its own versions of sites. Site spoofing was recorded for four global services: Paypal, GMail, Uber and Netflix. Other domains (more than ten in total) were local services of banks and network providers in Brazil.


    A copy of the banking service looks reliable, only a lack of HTTPS connection indicates a fake. Apparently, the attackers did not manage to prepare some of the redirects properly: instead of the cetelem.com site , for example, the standard Apache web server stub was shown. In the case of a specific attack in March this year, both fake websites and the DNS server itself were also hosted on the Google cloud platform. In response to a request from the Arstechnica website , Google said that malicious services were blocked and measures were taken to automatically block such operations in the future. However, this is not about Google: other attack waves used servers in Canada and Russia.

    In general, in this particular case we are not talking about a large-scale attack. Defeats devices that are many years old, with long known vulnerabilities, and which for some reason (erroneous configuration, insecure default settings) basically allow you to open the web interface when accessing from the Internet, and not just from the local network. In this case, it is hardly worth hoping for a patch for ancient firmware, it is easier to upgrade. Why do attackers even attack such relatively few types of devices? It is quite simple and profitable.

    Large-scale attacks with DNS spoofing have been recorded for the last ten years, there were more creative methods, such as attack on routersusing a malicious application after connecting to Wi-Fi. Then there are a lot of methods of dishonest money taking: phishing followed by resale of passwords on the black market (recently paid service accounts for streaming music and video have become a hot commodity), direct theft of funds through banking and payment services, and the spread of malware. In Brazil, such attacks took on the character of an epidemic , with hundreds of thousands of attacked devices counting. So today we are faced with a fairly well-documented, but small episode of the vibrant activity of cybercriminal.

    Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.

    Also popular now: