Internet users that have not secured their wireless router may soon face potential issues. A French researcher has discovered an exploit kit that targets and attacks many well known router models from reputable manufacturers.
Photo by ShoutMeTech.com, Flickr
In recent times, home and office routers (SOHO) have become a primary target for hackers that are seeking to redirect web traffic to malicious websites. In this specific case, hackers are now using a complex exploit kit on your router DNS settings in order to carry out cross-site request forgery attacks.
A French researcher named Kafeine has discovered an exploit kit and published research about the attacks on Friday. Kafeine said that at the attacks peak on May 9, after a month long series of modifications from attackers including JavaScript obfuscations that the traffic from the campaign peaked at approximately a million hits.
Traffic redirection results from hijacked router DNS settings
Particularly, the attackers are driving a lot of web traffic from Chrome users. Such an occurrence is an example of a pharming attack and is considered to be dangerous because it puts online banking and sensitive transactions/communications at risk.
Kafeine stated:
“This kind of attack is really old, but that this is the first time that I’ve seen something with obfuscation, rotating domains and landing going after DNS.”
Office and home routers are infected in this malicious campaign via drive by downloads and malvertising. The attackers concentrate on Chrome and Chromium based users possibly because of their ability to discover local and public IP addresses by using tools such as WebRTC-ips. WebRTC-ips is present in popular web browsers such as Chrome and Firefox and allows browsers and mobile apps to communicate in realtime via API’s.
CSRF attacks force victims to submit malicious requests on behalf of a hacker, typically on sites where a victim is already logged in. Kafeine stated the original exploit code was written in the clear, but within a month had added obfuscation and many other improvements. There is a long list of routers vulnerable to this type of attack including D-Link, Belkin, Netgear, Asus, and others.
Kafeine wrote:
“In the attack, the DNS address was changed to 185[.]82[.]216[.]86; it has since been changed to 217[.]12[.]202[.93], and always uses Google’s DNS as a failover should the first IP fail.”
Update your router firmware
Users are at risk of financial loss, click-fraud, man-in-the-middle attacks, and even phishing. It is recommended that everyone updates their router firmware and software and secure their router using strong password and security settings.
Have a great (CSRF-free) day!
Related Posts:
- Firmware Vulnerabilities Discovered on Linksys and ASUS…
- NetUSB hack puts Millions of home users at risk
- Hacker group LizardSquad used home routers to attack Xbox…
- Caphaw Trojan Found in Youtube Ads
- Caphaw Trojan Found in Youtube Ads
Exploit kit attacks DNS settings of over 50 different router models
The merciless onslaught of advertisements in some parts of the web have forced people to use applications like AdBlock to get a cleaner and less cluttered browsing experience. But using AdBlock is safe, right? Well, only if you are using the right one. A recent Malwarebytes post shows a malicious LSP Hijacker that tries to disguise itself as the legitimate application, AdBlock Plus. Talk about irony!
In recent times we have seen the rise of POS or Point of Sale malware (Remember PoSeidon?) designed to extract and transmit payment card information. According to this post by FireEye, a new variant of this malware family has emerged, one that is capable of stealing track one and track two payment card data. This malware, Nitlove, scans the processes on a compromised system, and after obtaining the payment card data, sends it back to the controlling webserver using SSL. Nitlove is mostly spread through malicious macro files attached to spam emails.
Not so long ago, a massive vulnerability in SSL security forced browsers to use weak encryption under certain circumstances, which would allow hackers to spy on sensitive and otherwise secure data. This vulnerability was dubbed FREAK as it involved RSA export keys. Now, a similar issue has emerged concerning Diffie-Hellman keys and TSL security. All servers supporting export-grade 512-bit Diffie-Hellman cryptography are affected.
If a process is found to be malicious, it will most likely be blocked in realtime by the Emsisoft behavior blocker. Alternatively, use the process list to quarantine or end the active malicious program. If a program is classified as malicious, it is recommended that you quarantine the threat.
If a process is found to be malicious, it will most likely be blocked in realtime by the Emsisoft behavior blocker. Alternatively, use the process list to quarantine or end the active malicious program. If a program is classified as malicious, it is recommended that you quarantine the threat.
Online advertisements can be annoying. But what if they spread malware too? The excessive greed of few has lead to the rise of malvertising, advertisements that redirect or lead to malware. A recent Zscalar study revealed that several compromised websites contained ads that led to ransomware.
Hackers and malware writers are now using the legitimate functions of popular websites to obfuscate or hide their malicious operations. In a recent attack on Technet, Microsoft’s blog for IT professionals, a Chinese hacker group APT17 used the ability to create profiles and posts to embed encoded CnC (Command and Control) to be used with a variant of the malware known as BlackCoffee. This was done to make it difficult for security professionals to trace the actual location on the CnC server, thus allowing it to remain hidden and operational. According to FireEye, several hacking groups are using the same obfuscation tactics on legitimate websites in order to prolong the lifetime of their CnC servers and thus spread more malware.
In the modern era of cyber security, the use of malware has become a highly profitable business. This captures the interest of several crooks who are willing to make quick cash of unsuspecting victims. Microsoft Word Intruder (MWI) is a new tool that allows even inexperienced crooks to write advanced malware. As stated by nakedsecurity, the malicious tool generates “booby-trapped” MS Office files. The malware creating application was probably developed in Russia with the obvious intention of making money by selling it to novice hackers.
The fact that hacking websites is illegal does not stop the ones in the trade from setting public prices for doing so. According to this hilarious post on hackread, hackers charge US$90 to hack Gmail, US$200 to US$350 for Facebook and WhatsApp. In fact, the website HackersList.com allows you to hire a “professional hacker” to gain unauthorized access to several web locations for a fee. Of course there is no assurance that you will get what you requested. Making such underground dealings often opens a box of surprises, in most cases bad ones. The rate chart is also a diverse one, with costs varying from as little as US$1.25 to a hefty 2000 Euro.
In the modern era of cyber security, the use of malware has become a highly profitable business. This captures the interest of several crooks who are willing to make quick cash of unsuspecting victims. Microsoft Word Intruder (MWI) is a new tool that allows even inexperienced crooks to write advanced malware. As stated by nakedsecurity, the malicious tool generates “booby-trapped” MS Office files. The malware creating application was probably developed in Russia with the obvious intention of making money by selling it to novice hackers.
The fact that hacking websites is illegal does not stop the ones in the trade from setting public prices for doing so. According to this hilarious post on hackread, hackers charge US$ 90 to hack Gmail, US$ 200 to 350 for Facebook and WhatsApp. In fact a website, HackersList.com allows you to hire a “professional hacker” to gain unauthorized access to several web locations for a fee. Of course there is no assurance that you will get what you requested. Making such underground dealings often opens a box of surprises, in most cases bad ones. The rate chart is also a diverse one, with costs varying from as little as US$ 1.25 to a hefty 2000 Euro.
Facebook users are the prime target for online phishes and scams. A very common trend, one we are seeing a lot lately involves some “shocking video”. Such links are shared on Facebook with one intention, making money by stealing innocent people’s information or making them complete paid surveys. Not only do these scams leave you filled with junk promotional emails and phone calls, they also infect your computer with malware, not to mention, there is no “shocking video” at the other end. This further fuels the desperation and excitement of users, making some of them complete the whole scam process multiple times (trying to get to that video), compounding the damage for themselves and filling the cyber criminal’s bank accounts.
Lenovo is facing the heat once again as three major vulnerabilities are discovered in their system update software. This is a big blow to the Chinese PC manufacturer after Superfish, the pre-installed Lenovo adware contained a massive security flaw. This time, it’s even worse as it turns out that Lenovo’s own system update software could lead to a man in the middle (MiTM) attack.
Google recently launched a new extension for the massively popular web browser, Chrome. This open source program called “Password Alert” is designed to prevent phishing attacks by warning users when they enter their Google login credentials on an illegitimate page. The source code for the software is available at GitHub and can be used by both home and business users. This tool is a response to a Google research which found phishing to be a potent attack vector.
