D-Link routers under siege from months-long DNS hack

The attackers are running malicious IPs through a Google Cloud Platform virtual machine

Picture of a DNS server

An ongoing hacking campaign is targeting consumer network routers, mainly D-Link branded ones, which hijacks DNS traffic redirecting users away from legitimate sites and towards malicious clones.

The attackers made attempts on vulnerable router firmware using a Google Cloud Shell which, according to Troy Mursch, a security researcher at Bad Packets, who discovered the issue, is notoriously easy to abuse. 

"Anyone with a Google account can access a 'Google Cloud Shell' machine by simply visiting [the Cloud Shell URL]. This service provides users with the equivalent of a Linux VPS with root privileges directly in a web browser," said Murshc. "Due to the ephemeral nature of these virtual machines coupled with Google's slow response time to abuse reports, it's difficult to prevent this kind of malicious behavior."

Mursch said he found three waves of these attacks dating back to December 2018, tweeting about them as and when they were discovered. IT Pro has contacted D-Link for its side of the story but has not immediately replied.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The attack works by injecting the IP addresses (four have been used so far) of rogue DNS servers inside the vulnerable routers. The servers changed the IP addresses of legitimate sites to malicious copies the attackers were running. The attack is still running at present.

It points to a sophisticated phishing attack where unsuspecting users would visit the seemingly legitimate site and input their real login credentials ready to be intercepted by attackers.

The attack should be heeded by consumers and businesses alike because although only consumer home routers are affected, remote working culture is on the up and SMBs are also known to rely on home network packages and routers as enterprise offerings are too costly and provide more service than required.

There was a fairly high-profile example of this happening back in October 2018 where Brazillian banks were targeted via DNS hijackers, again harnessing three-year-old exploits in D-Link routers, according to Radware researchers.

The leader of an Estonian cybercrime group was charged in 2018 after pleading guilty to the distribution of malware called DNSChanger. Once infected, the malware would change the DNS settings on infected computers (Windows and Mac versions were about), replacing legitimate ads on websites with ads that would reward the man's own company Rove Digital.

Between 2007 and 2011, the company lead by Vladimir Tsastsin, 35, and six other men raked in $14 million through click hijacking and ad-replacement fraud.

Advertisement - Article continues below

The group were originally arrested in 2011 and later acquitted until 2014 where the Estonian Supreme Court revoked their acquittal and charged them for money laundering.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020