Over the past years, cybercriminals have gone to extreme lengths to compromise users security, no matter how big or small, and today is no different, cybercriminals have developed a web-based tool aimed at hijacking routers through compromised websites or malicious advertisements. The automated tool can hijack the entire router simply through your web browser.
One hackers gain access to your router they replace the Domain Name System (DNS) servers configured on the router with rogue servers controlled by the attackers. Allowing cybercriminals to intercept traffic, redirect/spoof websites, alter search queries, inject rogue ads into pages and much more.
DNS works in a systematic manner. As an example, when a user types in a website name and clicks enter, the browser will ask the operating system for the websites IP address, where the OS then forwards the request to the router, which then queries the DNS servers on the router, typically provided by your ISP. The request then continues on until it reaches the authoritative server for the domain name entered. DNS is often referred to as the Internets phone book.
If attackers were able to intrude on this process during any point, they can respond with a malicious IP address, tricking the browser into believing the website is on a different set of servers, controlled by the attacker. Hackers then have the ability to spoof Facebook and bank logins to hijack credentials.
One independent security researcher identified a bizarre drive-by-attack that had been launched from hacked websites, redirecting users to a web-based exploit kit designed with the specific goal to target victims routers.
On underground darknet markets today, a majority of exploit kits sold by cybercriminals generally target vulnerabilities in outdated browsers or plugins like Flash, Java and Adobe Reader. The recent exploit kit revealed takes a different angle, targeting a higher-value piece of hardware, the router.
Researcher Kafeine identified the attacks, stating the methodology is entirely different from what they’ve seen in the past. During testing, he found Google Chrome to redirect him to a malicious webpage that loaded code specifically designed to determine the victims router model and begin replacing the DNS servers with attacker-owned servers.
It’s quite common for a majority of people throughout the world to believe their router is self-managed and exempt from attacks, or even know what a router is, making this attack far more dangerous. Many also believe it isn’t possible for hackers to attack a web-based administration panel as it may be only accessible via the local network.
False! Such attacks are extremely possible and occur often through a technique known as cross-site request forgery (CSRF), allowing malicious websites to force users into committing actions on other websites. Targets can include router’s administration panel, though its only accessible accessible via the local network.
A large portion of the web today has security in place to defend against CSRF, but routers often lack such protection and have little to no security regarding it. Why would they right?
The drive-by exploit identified by Kafeine uses CSRF to accurately detect the model of 40 individual routers from a variety of vendors, including Asustek Computer, Belkin, D-Link, Edimax Technology, Linksys, Medialink, Microsoft, Netgear, Shenzhen Tenda Technology, TP-Link Technologies, Netis Systems, Trendnet, ZyXEL Communications and HooToo.
Depending on the detected model, the drive-by attack tool then tries to alter the router’s current DNS settings by exploiting known vulnerabilities or by using the most common admin panel credentials. Many routers passwords are pre-set to admin;password, admin;admin among a majority of other well-known login sets.
If attackers successfully break into victims routers, the tool automatically sets the main default DNS controller to attackers servers, while using Google’s public DNS as a failover. Resulting in the router continuing to function even if hackers rogue DNS servers were to be abruptly turned offline or moved, allowing users to run on a perfectly fast and secure DNS. Victims will have no reason to suspect their router has been hijacked and will presumably leave it.
According to Kafeine, the exploit is abusing known vulnerabilities in a number of vendors products, but Kafeine remains doubtful that many patched the older security flaws, leaving them vulnerable to this latest attacks. The reason for this being that routers often require to be manually updated, requiring a certain level of technical know-how to update it.
The attack appears to be executed on a massive scale, as just during the first week of May the attack collected around 250,000 unique visitors to their malicious website, with a staggering one millions visitors on May 9th alone. The reason for the traffic spike is currently unknown, but the spike could be due to a popular website being compromised to redirect visitors to an attackers domain.
Currently the U.S., Russia, Australia, Brazil and India, are among the top affected countries, but the attack targets all Internet users spanning across the globe.
To protect yourself, we recommend you occasionally check for firmware updates on your router and go through the trouble of installing them, especially if it contains security patches. An up-to-date secure router offers countless benefits, ranking your security and privacy as number one. If you don’t know how to update your router, look up your vendors and model online. Or if you don’t want to mess around with the pre-set router configuration, you can always grab a new device from a box box retailer and learn how to set it up out of box.
Stay on the lookout for this tricky web-based attack, the tool is automatic and works to hijack your router, a prized piece of hardware to all cybercriminals.