Pharming attacks exploit default passwords to hack routers

Experts at Proofpoint uncovered a pharming attack that uses phishing to exploit router vulnerabilities and carry out malicious activities.

Security firm Proofpoint revealed that its experts recently detected a spam campaign targeting organizations and primarily Brazilian Internet users. The spam campaign implements a very effective technique to spy on a victim’s Web traffic. The particularity of this attack resides in the kill chain that started with malicious emails, as explained by experts at Proofpoint.

The attackers exploited security vulnerabilities affecting home routers to gain access to the administrator console, once obtained the access to the control panel the hackers changed run a pharming attack by changing the DNS settings of the devices. Pharming attacks on a large scale could be run by replacing DNS servers used by the ISPs, so hacking the providers DNS, or acting on the client side by manipulating the setting of routers.

“Proofpoint recently detected an update to a focused phishing campaign that represents a modern twist on this practice. Like the farming practice of using fish remains as fertilizer, modern attackers are using phishing emails to improve the yields of their pharming campaigns. This case is striking for several reasons, not the least of which is the introduction of phishing as the attack vector to carry out a compromise traditionally considered purely network-based.” states the blog post published by Proofpoint.

By running a pharming attack, threat actors can hijack victim’s traffic redirecting users to malicious website and could be also used to run man-in-the-middle attacks to steal sensitive data (i.e user credentials, email) or hijacking search results.

The researchers at Proofpoint detected about 100 phishing emails sent mostly to Brazilians who used either UTStarcom or TR-Link home routers. The emails were crafted to appear as legitimate messages from the Brazil’s largest telecommunications company.

The malicious emails used in the spam campaign contain links used by crooks to direct the victim to a server they control that is used to exploit cross-site request forgery (CSRF) vulnerabilities in the routers.

In order to access the administration panel of the routers, the attackers try default login credentials for the targeted device, a technique that resulted effective in many cases because user hadn’t changed factory settings.

“When clicked, the links in the phishing email direct victims to a web page that uses malicious iframes to exploit CSRF vulnerabilities in the targeted routers. The iframe code brute forces the administrator page login for the router with multiple HTTP requests, as seen below:”

Looking more closely at the HTTP requests embedded in the iframe, we see each pass the default administrator username and password for the router to the default IP address for the router’s administration page, with a string to set the IP address of the attacker’s malicious DNS as the Primary, and a well-known public DNS as the Secondary. The syntax of the request is:

<username>:<password>@<homerouterIP>/dnscfg.cgi?dnsPrimary=<attackerDNS>&dnsSecondary=8.8.8.8

A way to avoid this pharming attacks is to change default settings of the routers, another possibility if to fix the CSRF flaws exploited by attackers, but in this second case home users depend on the router manufacturer and the availability of a firmware update that fix this issue.

Let me close providing you the IOCs detected in this campaign:

• 217.172.179.143
• 46.148.25.196
• 07.167.184.141
• 9.64.36.205
• 86.202.164.88
• 09.239.112.63

Pierluigi Paganini

(Security Affairs –  pharming, cybercrime)