Hackers are always looking for a new spin on an old riff. Anything to generate maximum profits with minimal investment of time and resources. So after a highly successful new DNS security threat emerged in Brazil over the past few weeks, SMBs and consumers around the world should be on high alert.
Virtually invisible to the end-user, these attacks could result in major financial losses.
Focus on DNS
These attacks focus on the Domain Name System (DNS), an often-overlooked part of internet infrastructure which effectively acts as a digital signpost to convert domain names into IP addresses. Without DNS it would be virtually impossible to find the right websites, apps and machines online. This “phonebook of the internet,” as it is sometimes called, is built on DNS servers spread out across the globe.
DNS hijacking is a well-worn attack type in which these servers are compromised by attackers.
DNS hijacking is a well-worn attack type in which these servers are compromised by attackers. They change the records stored on the servers so that when a user tries to visit a legitimate site they end up being redirected covertly to one under the control of the attacker. It has been used several times this year by nation-state attackers targeting governments in the Middle East.
A new spin
However, the latest spin focuses on consumer routers. Here’s how an attack happens:
- A user visits a compromised website (usually porn or sport streaming sites)
- Attackers use malicious adverts to launch web-based cross-site request forgery (CSRF) attacks
- These redirect the user to a router exploit kit landing page
- The exploit kit (GhostDNS, Navidade, or SonarDNS) scans for the router IP and tries to guess the password using commonly used credentials
- Once they’re logged in, the attackers change the router’s DNS settings using CSRF requests
- They replace the DNS server IP addresses that routers receive from their ISPs with those of DNS servers controlled by the attackers
All of the above happens in the background, without the knowledge of the victim.
What’s in it for the hackers?
By using the above technique, the attackers can hijack all internet traffic coming from the compromised user, redirecting it to:
- Phishing sites, designed to steal everything from Netflix log-ins to banking passwords
- Crypto-jacking malware sites, which will hijack the user’s browser and force it to mine cryptocurrency
- Advertising under the control of the hackers, in order to generate profits
Avast also managed to block more than 4.6 million CSRF attacks attempting to silently compromise routers.
Avast has detected over 180,000 users in Brazil affected by this attack in just a few months this year (February-June). It’s also managed to block more than 4.6 million CSRF attacks attempting to silently compromise routers. These are concerning numbers.
Making the leap
The big worry is that copycat attacks could soon spread across the globe. Hackers have a vast cybercrime economy that provides everything they could possibly need at the click of a button: hacking tools, expertise and a market on which to sell stolen data. It also helps them share best practices and top tips. Word travels fast on the black market – far faster than in the white hat community.
These attacks make use of easy-to-source exploit tools and techniques, they happen without the knowledge of the end-user, and they could generate a tidy profit for the hackers. What’s not to like? Attackers could easily launch the same kind of raids against SOHO (Small Office, Home Office) routers as well as consumers. They could use the same techniques to phish corporate banking credentials and other log-ins or to download crypto-jacking malware in order to drive profits.
Keeping my business safe
Fortunately, there are a few steps you can take to keep your business relatively insulated from attacks like this. Consider the following:
- Update your router firmware to the latest version to minimize the attack surface for hackers
- Change your log-ins for all sensitive accounts, and switch to multi-factor authentication (MFA) if possible and/or use a password manager. This will ensure there are either no passwords for the hackers to crack, or that the log-ins you use are too long and complex for them to guess
- Use complex router admin passwords and/or switch to MFA
- Make sure when visiting sensitive sites like your banking provider that it is HTTPS protected (with a padlock in the address bar)