H Hightlight

Attackers Targeting Dlink DSL Modem Routers ; Exploiting Them To Change The DNS Settings



image

A recent research has found attackers to be resorting to targeting DLink DSL modem routers in Brazil, with a specific end goal to exploit their DNS settings, which at that point enables them to redirect users endeavoring to associate with their online banks to fake banking websites that steal the client's record data.

As per the research by Radware, the exploit being utilized by the hackers enables them to effectively scan for and script the changing of a lot of vulnerable switches so the user's DNS settings point to a DNS server that is under the hacker's control.

image
Example of Fake Cloned Bank Site (Source: Radware)
image
Certificate Warning on Fake Site

At the point when the user attempts to connect to a website on the internet, they first question a DNS server to determine a hostname like www.google.com to an IP address like 172.217.11.36.
Their PC at that point associates with this IP address and starts the coveted connection. In this way by changing the name servers utilized on the router, users are diverted to fake and malignant sites without their insight and made to believe that these sites are indeed legitimate and dependable.
The pernicious URL takes the following form:

/dnscfg.cgi?dnsPrimary=&dnsSecondary=&dnsDynamic=0&dnsRefresh=1

at the point when the exploit permits unauthenticated remote configuration of DNS server settings on the modem router.

Radware’s research stated that – “The uniqueness about this approach is that the hijacking is performed without any interaction from the user, phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser have been reported as early as 2014 and throughout 2015 and 2016. In 2016, an exploit tool known as RouterHunterBr 2.0 was published on the internet and used the same malicious URLs, but there are no reports that Radware is aware of currently of abuse originating from this tool."

The researcher's state that the attack is deceptive as the user is totally unaware of the change, the hijacking works without creating or changing URLs in the user's browser.

A user can utilize any browser and his/her consistent regular routes, the user can type in the URL physically or even utilize it from cell phones, for example, a smart phone or tablet, and he/she will in any case be sent to the vindictive site rather than to their requested for site since the capturing viably works at the gateway level.

Radware along these lines , recommends users to utilize the http://www.whatsmydnsserver.com/website to check their router's configured DNS servers, with the goal that they can alone decide whether there are servers that look suspicious as they won't be relegated by their internet service provider.

Read more