For nearly a year, Brazilian users have been targeted with a new type of router attack that has not been seen anywhere else in the world.
The attacks are nearly invisible to end users and can have disastrous consequences, having the ability to lead to direct financial losses for hacked users.
What’s currently happening to routers in Brazil should be a warning sign for users and ISPs from all over the world, who should take precautions to secure devices before the attacks observed in South American country spread to them as well.
Router DNS-changing attacks
The attacks targeting routers in Brazil started last summer and were first observed by cyber-security firm Radware, and a month later by security researchers from Netlab, a network threat hunting unit of Chinese cyber-security giant Qihoo 360.
At the time, the two companies described how a group of cyber-criminals had infected over 100,000 home routers in Brazil and were modifying their DNS settings.
The modifications made to these routers redirected infected users to malicious clone websites whenever they tried to access e-banking sites for certain Brazilian banks.
Similar attacks were seen a few months later, in April 2018 by threat intel firm Bad Packets, who detailed another wave of attacks, but this time aimed primarily against D-Link routers, also hosted on Brazilian ISPs.
This time around, besides hijacking users visiting Brazilian banks, the hackers were also redirecting users to phishing pages for Netflix, Google, and PayPal, to collect their credentials, according to researchers at Ixia.
But according to a report published by Avast this week, these attacks haven’t stopped. In fact, according to the company, in the first half of 2019, hackers have infected and modified the DNS settings of over 180,000 Brazilian routers.
Furthermore, the complexity of the attacks has increased, and the number of actors involved in the attacks appears to have gone up as well.
How a router hack takes place
According to Avast researchers David Jursa and Alexej Savčin, most Brazilian users are having their home routers hacked while visiting sports and movie streaming sites, or adult portals.
On these sites, malicious ads (malvertising) run special code inside users’ browsers to search and detect the IP address of a home router, the router’s model. When they detect the router’s IP and model, the malicious ads then use a list of default usernames and passwords to log into users’ devices, without their knowledge.
The attacks take a while, but most users won’t notice anything because they’re usually busy watching the video streams on the websites they’ve just accessed.
If the attacks are successful, additional malicious code relayed through the malicious ads will modify the default DNS settings on the victims’ routers, replacing the DNS server IP addresses routers receive from the upstream ISPs with the IP addresses of DNS servers managed by the hackers.
The next time the users’ smartphone or computer connects to the router, it will receive the malicious DNS server IP addresses, and this way, funnel all DNS requests through the attacker’s servers, allowing them to hijack and redirect traffic to malicious clones.
GhostDNS, Navidade, and SonarDNS
Per Avast’s investigation hackers have been using two special kits for these attacks. The first one is called GhostDNS, and is the one that’s been first spotted since last summer, and the botnet described by Radware and Netlab last year.
A variant of GhostDNS, called Navidade, also appeared in February.
Per Avast, “Novidade attempted to infect Avast users’ routers over 2.6 million times in February alone and was spread via three campaigns.”
Furthermore, since mid-April, another player entered the market. Avast calls this new botnet SonarDNS because the attacker appears to have re-purposed a penetration testing framework named Sonar.js as the backbone for their infrastructure.
Avast says it seen SonarDNS in three different campaigns over the last three months, and its modus operandi appears to be mimicking how GhostDNS operates.
Ad replacing and cryptojacking
But the DNS hijacking attacks aimed at routers in Brazil have not stood still and have also evolved. Besides hijacking traffic and redirecting users to phishing pages, the hacker groups behind these attacks have also added additional tricks to their arsenal.
The first is to intercept user traffic and replace legitimate ads with adverts operated or that generate profit for the attackers.
This tactic isn’t new, per-se. In 2016, Proofpoint researchers spotted an exploit kit which they named DNSChanger EK that did the same thing — replacing legitimate ads with malicious ones — and is most likely the inspiration for what the botnet operators targeting Brazil are doing now.
Second, the operators of GhostDNS, Navidade, and SonarDNS, have also been deploying browser-based cryptojacking scripts. This last tactic has also been seen in Brazil before, last year, when another group hijacked over 200,000 Mikrotik routers and added in-browser cryptocurrency miners to users’ web traffic.
Danger of spreading to other countries
But despite all of this, the DNS-changing attacks are the ones that are the most dangerous of all for end users. This is because the botnet operators are phishing users’ credentials, and hijacking online profiles or stealing money from users’ bank accounts.
With the attacks being so sneaky, hard to detect, and so profitable, it’s still a mystery why they haven’t spread to other countries.
Hacking routers is both cheap and easy. However, most IoT botnets today enslave these devices to perform DDoS attacks or act as proxies for bad traffic, brute-force, or credential stuffing attacks. Using routers for phishing would be way more profitable.
Users who want to stay safe against any IoT botnet that targets routers to modify DNS settings have a few options at their disposal:
- Use complex router administration passwords
- Keep routers up to date
- Use custom DNS settings on their devices, which prevent the device OS from requesting possibly tainted DNS settings from the local router