Hacker Group Has Been Hacking DNS Traffic on D-Link Routers
Earlier, we had service provider playing tricks with your DNS traffic. Then, it was difficult for us to fathom unless you are an expert to figure this out. Well, the majority of the users’ have no idea something like this is happening, but it was true.
For service providers playing with the DNS traceroute tool is a common practice, which they do to redirect DNS traffic to their local DNS servers. So if you thought you are on Google’s Public DNS Server, well you have to think twice.
Now, this news on ZDNet that hacker group has been hijacking, DNS traffic on D-Link routers. A cybercrime group has been hacking D-Link model home routers for the past three months. They change the DNS server settings and redirect the traffic to malicious clones.
These types of attacks have happened before and are usually referred to under the name of “DNSChanger,” after the name of the first malware that started changing DNS settings as a way to redirect users to malicious servers, way back in the 2000s.
Recently in August 2018, we have seen how hackers exploited DLink Routers configured Routers DNS settings, to redirect the customers of the Brazilian bank to a malicious website in a bid to steal their bank credentials.
Looks like the attackers used the well-known exploits in router firmware to hack into vulnerable devices and make silent changes to the router’s DNS configuration that most users won’t ever notice.
The list of D-Link routers and the models (the number to the side of each model lists the number of internet-exposed routers, as seen by the BinaryEdge search engine):
• D-Link DSL-2640B – 14,327
• D-Link DSL-2740R – 379
• D-Link DSL-2780B – 0
• D-Link DSL-526B – 7
• ARG-W4 ADSL routers – 0
• DSLink 260E routers – 7
• Secutech routers – 17
• TOTOLINK routers – 2,265
Troy Mursch, founder and security researcher at internet monitoring firm Bad Packets, said he detected three distinct waves during which hackers have launched attacks to poison routers’ DNS settings –late December 2018, early February 2019, and late March 2019.
Attacks are still ongoing, he said today in a report about these attacks.
How it works
According to Mursch “The hackers have used four IP addresses, and the point of this router hacking campaign was to inject the IP addresses of rogue DNS servers inside people’s routers.
On these four rogue DNS servers, hackers replaced the IP addresses of legitimate sites with the IP addresses of clone sites they were running.
A normal attack would look like this:
User’s computer or smartphone receives wrong DNS server settings from the hacked router.
1. A user tries to access a legitimate site.
2. The user’s device makes a DNS request to the malicious DNS server.
3. The rogue server returns an incorrect IP address for the legitimate site.
4. The user lands on a clone of the legitimate site, where he might be required to log in and share his password with the attackers.
5. But what legitimate sites the hackers targeted during these three campaigns remains a mystery, for both Mursch and the other security researchers who have looked into these attacks so far.
What the researchers find was where all this traffic was heading –aka the location of the clone sites.
“The majority of the DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082),” said Mursch, citing another security researcher’s tweet.
Zdnet has listed the following four IP addresses, and if it is one of yours, then your router’s DNS settings have already been compromised by this campaign. The user needs to upgrade their router’s firmware at the earliest.
Kevin Jones935 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.