Posted on April 5, 2019 at 2:02 PM
Hackers have been using D-Link routers for the last three months to hijack DNS traffic with attacks still ongoing.
Hackers have used well-known exploits in router firmware to access devices that are vulnerable. They then proceeded to change DNS settings in these routers. These changes were more or less silent to the vast majority of users who are not tech-savvy enough to notice them.
The attacks have happened in three waves. The first wave being late December 2018. The second wave happened in February 2019 and the latest wave of attacks happened recently late last month. This is according to a report by BadPackets, a leading infosec research group. They also state in the report that attacks are ongoing and many users are still at risk of the hackers.
The report has made a note of which D-Link Routers have been targetted. The DSL-2640B, DSL-2740R, DSL-2780B, and DSL-526B are all at risk but numbers say something else. The amount of those routers that are connected to the internet vary quite a bit.
The DSL-2640B is the most at risk since there are 14,327 routers connected to the internet. That is the most f any routers by D-Link. In contrast to the DSL-2740R, the DSL-2780B has zero connected routers. This data was gathered by Bad Packets using the Binary Edge search engine.
Users vulnerable to phishing
The IP addresses injected into these routers are used specifically to gain login information. The hackers add in IP addresses to rogue DNS servers. These DNS servers then redirect the user to a fake login page. Since the DNS servers only have certain websites flagged as important, the overall browsing experience for most users is not affected.
The biggest problem with this is that it does not matter what device you are using. Whether you use your mobile phone, a friend’s laptop or your own laptop/PC the result is the same. This allows hackers to gain access to a greater variety of logins than if they had infected one machine.
Bad Packets has only identified four IP addresses so far and has not been able to determine which legitimate sites have been targetted for these attacks. What they did find was the traffic was being routed to crime friendly hosting platforms. One such host is BlueAngel Hosting from Bulgaria. Another Bodis LLC that is known for hosting parked domains.
These attacks are not new and have been used before. They are called DNSChanger attacks. They are far more dangerous than normal attacks, but they are also much less common. They are also very easy to spot, according to Bad Packets.
One of the largest, and most dangerous, previous hacks was done in Brazil. A particular strain of malware-infected IoT devices and managed to infect routers with DNS changes. The DNS would point people to a fake login to online banking accounts and would gather user data to break into bank systems.
Another such attack has happened in 2018. It was a massive scandal as it was perpetrated at a nation-state level, and shows how seriously many countries take cybersecurity. The malware allowed hackers to direct android phones to a trojan. It was perpetrated by the Roaming Mantis hacking group.
Current users need to check DNS settings
If you own one of the above devices, Bad Packets has recommended that you check the DNS settings in your router. IF they are the same as the IP addresses authorized by your ISP, then you can rest assured that nothing bad has happened.
However, if one of the following IP addresses is in the DNS settings, then your router may have been compromised. You will need to follow your ISPs instructions on changing your router firmware.