Pierluigi Paganini July 14, 2019

Brazilian users have been targeted by a large number of router attacks aimed at modifying the configuration of their routers for malicious purposes.

This year, security experts at Avast have blocked more than 4.6 million cross-site request forgery (CSRF) attempts carried out by crooks to execute commands without the users’ knowledge.

The campaign uncovered by Avast aimed at silently modifying the Brazilian users’ Domain Name System (DNS) settings to redirect victims to malicious websites mimicking legitimate ones.

Crooks targeted users of many major organizations, including Netflix and large banks like Santander, Bradesco, and Banco do Brasil.

A router CSRF attack could be launched by tricking victims into visiting a compromised website with malicious advertising (malvertising) typically served through third-party ad networks to the site.

“Avast frequently observes malvertising infections on local Brazilian websites that host adult content, illegal movies or sports content. Just by visiting a compromised site, the victim is redirected to a malicious page where their router is automatically attacked without user interaction.” reads a blog post published by Avast.

“Malware then guesses routers’ passwords, which new research from Avast shows are often weak. In some cases the router is reconfigured to use rogue DNS servers, which redirect victims to phishing pages that closely look like real online banking sites. Most recently, Netflix became a popular domain for DNS hijackers.”

Avast researchers also observed crooks using DNS hijacking to deliver crypto mining scripts to users’ browsers.

Experts first observed the router attacks last summers, researchers from Radware and Netlab first reported them.

Experts at Qihoo 360 NetLab reported that between September 21 and 27, the GhostDNS campaign compromised more than 100,000 routers, most of them (87.8%) located in Brazil.

In April 2019, experts at Bad Packets uncovered a new wave of attacks mainly aimed at compromising D-Link routers, many of them hosted belonging to Brazilian users.  

According to Avast, in the first half of 2019, hackers have modified the DNS settings of over 180,000 Brazilian routers with even more complex attacks.

The router attacks involved an exploit kit that attempts to find the router IP on a network, then attempts to guess the password using common login credentials.

“The password “gvt12345”, for example, suggests that hackers target users with routers from the former Brazilian internet service provider (ISP) GVT, which was acquired by Teleônica Brasil, and is the largest telecommunications company in the country.” states the analysis published by Avast. “The password “vivo12345” is used on routers distributed by the ISP Vivo, which is also Telefônica Brasil brand.”

Experts explained that the GhostDNS variant Novidade was one of the most active in router attacks against Brazilian users.

Avast confirmed that Novidade attempted to infect its users’ routers over 2.6 million times in February alone, the experts observed at least three campaigns spreading the malware.

In the past three months, experts also uncovered three drive-by attacks from another exploit kit tracked “SonarDNS EK” because it was based on the SONAR JS framework.

“Users should be careful when visiting their bank’s or Netflix’s website, and make sure the page has a valid certificate, by checking for the padlock in the browser URL bar. Additionally, users should frequently update their router’s firmware to the latest version, and set up their router’s login credentials with a strong password.”  concludes Avast.

Pierluigi Paganini

(SecurityAffairs – router attacks, Brazil)

[adrotate banner=”5″]

[adrotate banner=”13″]