DNS Hijacking Attack Exploiting DLink
Cybercriminals continuously perform DNS hijacking attack to the consumer’s routers over the past 3 months, and the sites targeted for phishing includes Netflix, PayPal, Uber, Gmail.
DNS hijacking is a type of malicious attack that used to redirect the users to the malicious website when they visit the website via compromised routers or attackers modifying a server’s settings.
Attackers abusing the hosts on the network of Google Cloud Platform to conduct this exploit attempts against consumers routers.
In this case, Researchers identified the rogue DNS servers being used to redirect web traffic for malicious purposes such as phishing attacks.
This ongoing campaign identified as 3 waves, In the First wave of an attempt on December 29, 2018, Attackers mainly targeting to exploit the multiple models of D-Link DSL modems, including:
- D-Link DSL-2640B
- D-Link DSL-2740R
- D-Link DSL-2780B
- D-Link DSL-526B
In this case, “The IP address of rogue DNS server used in this attack was 220.127.116.11 and hosted by OVH Canada.”
In the second wave that attempted on February 6, 2019, attackers using new hosts from AS15169 that was assigned to Google Cloud customers.
According to Bad Packets, “As Twitter user “parseword” noted, the majority of the DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082).”
The third wave of attempt comes from three distinct Google Cloud Platform hosts, in this time, attackers targeting some of the models of the additional routers including ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.
In This case, there are more than 10,000 consumers routers are vulnerable from different models including:
D-Link DSL-2640B – 14,327
D-Link DSL-2740R – 379
D-Link DSL-2780B – 0
D-Link DSL-526B – 7
ARG-W4 ADSL routers – 0
DSLink 260E routers – 7
Secutech routers – 17
TOTOLINK routers – 2,265
Attackers also performed a recon scan was done using Masscan to check for active hosts on port 81/tcp prior to attempting the DNS hijacking exploits.
Spoke person from Google said to “We have suspended the fraudulent accounts in question and are working through established protocols to identify any new ones that emerge. We have processes in place to detect and remove accounts that violate our terms of service and acceptable use policy, and we take action on accounts when we detect abuse, including suspending the accounts in question. These incidents highlight the importance of practicing good security hygiene, including patching router firmware once a fix becomes available.”
You can Also Download Free E-book about complete Enterprise Security Mitigation & Implementation Steps – Download Free-Ebook Here.
Exploit Attempt Source IPs
18.104.22.168Rogue DNS Servers
/dnscfg.cgi?dnsPrimary=22.214.171.124&dnsSecondary=126.96.36.199&dnsDynamic=0&dnsRefresh=1Source: Bad Packets Report