In late July, researcher Ankit Anubhav posted a tweet saying that more than 3200 routers indexed at Shodan were exposing their wireless connection passwords. Most of this equipment would be installed in Brazil.
Tempest’s Threat Intelligence team investigated the case and identified that the group of equipment mentioned by Anubhav was formed by several models of routers from the Brazilian manufacturer Intelbras, and that the exposure of these access credentials is due to a vulnerability published in 2015, which allows an attacker to bypass the device’s authentication system and access its administration page, making it possible to change any configuration in the device.
We analyzed about 2300 routers indexed on Shodan with open administrative interface to the Internet. We identified that, in addition to exposing wireless credentials, several of these equipment had already undergone changes in their DNS settings, made to redirect traffic to banks and e-commerce stores to fake sites under the control of the attacker.
This type of attack is called DNS Pharming and consists of modifying the victim’s name resolution system, causing redirection of requests under attacker’s interests (for example www[.]bank[.]com). Eligible requests are sent to malicious DNS servers, which, in turn, redirect the user’s request for copies of the original site to persuade him or her to enter sensitive data, such as accounts numbers, card data, passwords, and so on, on the attacker’s website. Considering that the change is made on the victim’s router, all network users may be affected.
This is not a new type of attack. In the past, we followed violations of this nature and found that the main targets used to be DNS servers of Internet Service Providers (ISPs) or the victims’ own computers. However, with the evolution of technology and security processes, attacks against ISPs have become more difficult and rare. Computer attacks depend on other factors, such as the adoption of malware that automates the infection, the spread of the attack and mock antivirus.
However, exploiting vulnerable routers, especially those with published and active vulnerabilities for years, makes the attack much easier and more effective because, besides reaching all users connected to that device, not all users have the habit of updating the firmware of their devices, either because they do not know new versions or because they do not understand that this is a necessary behavior
Such campaigns have been reported more frequently and, recently, Radware has identified a similar infection campaign, this time affecting D-Link devices.
The devices we looked at were configured with 42 different DNS servers. Out of these, 8 were redirecting connections to fake sites. Two of them caught our attention because of the number of infected devices: the server 145[.]249[.]106[.]106 was present in the configurations of more than 140 routers and the 80[.]82[.]67[.]14 was configured on more than 50 devices.
An interesting feature common to these campaigns is that the attackers are using different servers to host the DNS services and the Webserver. In this way, if some fake web pages are reported, it is extremely simple for the attacker to change the destination of the URL to another server.
Based on our experience in Takedown — an activity that requests and accompanies the removal of malicious content on the Internet — we find that this technique is quite effective because it is more difficult to prove malicious behavior on DNS servers than on Web servers.
We have noted other techniques that make it difficult to identify malicious DNS servers, such as IP restrictions that limit source connections to countries that match the attacker´s interests, or DNS server configuration to redirect requests to fake pages only at specific times.
To avoid this type of attack, we recommend to keep all network devices updated, periodically check which DNS servers are active on your connection (there are services that help on this, such as http://www[.]whatsmydnsserver[.]com/) and always check carefully the digital certificate data of the visited website.
IOCs
Malicious DNS Servers
139.60.162.188
142.4.196.213
145.249.106.12
167.114.54.202
192.3.6.18
192.3.190.114
192.3.6.18
80.82.67.14
Webservers
193.70.95.89
200.98.162.85
142.93.121.60
200.98.162.85
170.254.236.148
145.249.104.234