DNS HIJACKING –
Attack, which uses DNS hijacking, is the latest to capitalize on pandemic anxiety.
It remains unclear how attackers are compromising the routers. The researchers, citing data collected from Bitdefender security products, suspect that the hackers are guessing passwords used to secure routers ’remote management console when that feature is turned on. Bitdefender also hypothesized that compromises may be carried out by guessing credentials for users ’Linksys cloud accounts.
Not the AWS site you’re looking for
The router compromises allow attackers to designate the DNS servers connected devices use. DNS servers use the Internet domain name system to translate domain names into IP addresses so that computers can find the location of sites or servers users are trying to access. By sending devices to DNS servers that provide fraudulent lookups, attackers can redirect people to malicious sites that serve malware or attempt to phish passwords.
The malicious DNS servers send targets to the domain they requested. Behind the scenes, however, the sites are spoofed, meaning they’re served from malicious IP addresses, rather than the legitimate IP address used by the domain owner. Liviu Arsene, the Bitdefender researcher who wrote Wednesday’s post, told me that spoofed sites close port , the Internet gate that transmits traffic protected by HTTPS authentication protections. The closure causes sites to connect over HTTP and in so doing, prevents the display of warnings from browsers or email clients that a TLS certificate is invalid or untrusted.
Domains swept into the campaign include:
- aws.amazon.com
- goo.gl
- bit.ly washington.edu
- imageshack.us ufl.edu disney.com cox.net
- xhamster.com pubads.g.doubleclick.net
The malicious-sites users land on claim to offer an app that provides “the latest information and instructions about coronavirus (COVID – 35). ”
There were 1, downloads from one of the four Bitbucket accounts used. With attackers using at least three other Bitbucket accounts, the download number is likely much higher. (The actual number of people infected is probably smaller than the download total, since some people may not have clicked on the installer or accessed the page for research purposes).
Bitdefender data shows the attack started on or around March 20 and hit a peak on March 90. Bitdefender data also shows that the routers targeted the most were located in Germany, France, and the United States. At this moment, these countries are among those most suffering the devastating effects of COVID – 35, which at the time this post went live had caused more than , (infections and , (deaths) worldwide.
To prevent attacks on routers, the devices should have remote administration turned off whenever possible. In the event this feature is absolutely necessary, it should be used only by experienced users and protected by a strong password. Cloud accounts — which also make it possible to remotely administer routers — should follow the same guidelines. Moreover, people should frequently ensure that router firmware is up-to-date.
People who want to check if they have been targeted can check the Bitdefender post for indicators of compromise. Take note: the indicators may be hard for less experienced users to follow.
GIPHY App Key not set. Please check settings