Avast warns of DNS hijacking

    Antivirus vendors Avast have issued a warning about vulnerable routers being exploited to redirect web traffic to phishing websites, install cryptomining scripts and serve malicious advertising.

    Earlier in the year, the Federal government agency Australian Cyber Security Centre (ACSC) made an announcement that it is aware of a global Domain Name System (DNS) infrastructure hijacking campaign and released a statement outlining best practices for how organisations can protect their systems.

    Cybercriminals use cross-site request forgery (CSRF) attacks to carry out commands without the users’ knowledge. Known router exploit kits used in these attacks include GhostDNS, Novidade, and SonarDNS.

    So far in 2019, Avast says it has stopped more than 70,000 GhostDNS attacks.

    The GhostDNS exploit kit is very popular in many parts of the global underground hacking scene and some of its variants belong to the most active exploit kits targeting routers in 2019. The GhostDNS variant Novidade attempted to infect Avast users’ routers over 2.6 million times in February alone and was spread via three campaigns. According to Netlab360, GhostDNS consists of a complex system with a phishing web system, web admin system, and rogue DNS system.

    The threat actors behind GhostDNS are trying to increase their attack success rate by scanning routers’ IP addresses via public mass scans. The same rouge DNS servers 195[.]128.124[.]131 and 195.128.126[.]165 detected by @bad_packets’ honeypots were also spotted in other GhostDNS campaigns this year.

    A router CSRF attack is typically initiated when the user visits a compromised website with malicious advertising (malvertising), which is served using third party ad networks to the site.

    By visiting a compromised site, the victim is redirected to a router exploit kit landing page, initiating the attack on their router automatically, without user interaction, in the background.

    In many cases an exploit kit can successfully attack a router due to weak passwords. It first tries to find the router IP on the network, and then attempts to guess the password using various login credentials.

    Top used credentials that common exploit kits try to use include:

    • admin:admin

    • admin:

    • admin:12345

    • Admin:123456

    • admin:gvt12345

    • admin:password

    • admin:vivo12345

    • root:root

    • super:super

    Compromised routers can be reconfigured to use rogue DNS servers, which redirect victims to phishing pages that closely look like real online banking sites. Most recently, Netflix became a popular domain for DNS hijackers.

    “The affected institutions are generally targeted due to their popularity, and the problem is that there is little that a company can do to avoid falling victim, apart from alerting their customers, as the phishing sites are located outside of the company’s domains,” said David Jursa, Threat Intelligence Analyst at Avast.