04 Mar 2014

Global Attack Compromises 300,000 SOHO Routers

More than 300,000 devices have been compromised in a small office/home office (SOHO) pharming campaign affecting Europe and Asia, according to a recent Cymru report.

Attackers have altered the DNS settings of several Wi-Fi routers to send requests to new IP addresses and redirect victims to the attackers’ domains. Taking advantage of vulnerabilities in the routers’ firmware, hackers could download the users’ stored router login credentials.

A wide range of device models were affected, including from manufacturers D-Link, Micronet, Tenda, TP-Link and others. Compromised routers were mainly in Vietnam, Italy, Thailand, Indonesia, Colombia, Turkey, Ukraine, Bosnia and Herzegovina and Serbia.

A similar technique was exposed by CERT Poland researchers. DNS servers where used in a two-stage attack against customers of the Polish mBank and four Polish banks. Hackers compromised some 80 routers and used socially-engineered text messages to mislead victims into transferring money into the hackers’ accounts.

“These compromises are a good reminder that DNS can be abused for malware command and control and data exfiltration as well as the man-in-the-middle techniques observed here,” Cymru researchers said. ”DNS settings should be corporately controlled and potentially set at the host level as part of a secure, baseline exfiltration. Individual users should not have the privileges to choose their own DNS settings.”

Team Cymru Community Services is an Illinois-based non-profit and US federal organization that focuses on community service activities.