Widespread Hijack Attack Targets Routers through Web Browsers

Independent security research firm Kafeine have dixcovered a campaign wherein cybercriminals have devised  campaign based on a technique called cross-site request forgery (CSRF), which is designed to allow malicious requests from a website to be taken up and executed in a different page by the browser. All of this is done without the user’s knowledge or consent.

The malicious campaign.

The far-reaching widespread campaign to change the DNS (Domain Name System) in web routers will allow malicious hackers and attackers to intercept and have access to user traffic, hijack search entries, infect websites with rogue advertisements and even give the means to spoof entire websites.

The DNS plays a fundamentally critical role in the world of cybersecurity and the internet. It deciphers the domain name, which are easily remembered by users, into IP (internet Protocol) addresses that computers need to be made aware of, to communicate to the host servers.

Here’s how the DNS works:

  • When a website is entered in a browser, the browser seeks the website’s IP address from the operating system.
  • The operating system (OS) asks the local router, which seeks the DNS servers configured to the internet connection.
  • This continues until the request reaches the server for the domain name in question, or until the information is provided by the server’s cache.

With an attack, malicious hackers who are able to insert themselves in this process at any time during the communication flow can respond with a rogue IP address.  In essence, a trick is played on the browser to look for the website on a different server, oftentimes a malicious server that may host a spoofed, fake version of the website set up to gather and/or steal the user’s credentials.

Kafeine discovered that Google Chrome users were redirected to a malicious server which contained code designed to find out the router models used by the users accessing these servers, in order to change or replace the DNS servers configured on these devices.

The exploit kit used by the attackers according to Kafeine determined that over 40 router models from various manufacturers were detected. These included router makers such as Asus, Belkin, D-Link, Edimax, Linksys, Medialink, Microsoft, Netgear, TP-lInk, Netis, Trendnet, Hooto and Shenzhen among many others.

Upon detecting the model of the router, the attack tool attempts to change the router’s DNS settings by using common admin credentials and trying to exploit command injection vulnerabilities. If the attack proves to be successful, the DNS is changed and set to a different DNS controlled by the attackers while the secondary DNS, used as an alternative failover is set to Google’s public DNS server. By doing this, the attackers ensure that the router will have a functioning DNS while the user does not suspect the widely used Google DNS of any malice.

It is recommended that users check manufacturers’ websites regularly to check for firmware updates and install them as they find it. Patches have already been released for the attack which saw the attack server get around 250,000 unique visitors a day, with a jolt up to nearly 1 million visitors on May 9. That’s one million hijacked routers altogether, with the most impacted countries being the U.S., Brazil, Russia, Australia and India.