New Attack Hijacks DNS Traffic From 300,000 Routers

← Back to Stories (view on slashdot.org)

New Attack Hijacks DNS Traffic From 300,000 Routers

Posted by Unknown on Monday March 3, 2014 @05:01PM from the something-had-to-replace-windows dept.

nk497 writes "Florida-based security firm Team Cymru said it was examining a widespread compromise"of 300,000 consumer and small office/home office (SOHO) routers in Europe and Asia. The DNS server settings were changed to a pair of IP addresses, which correspond to Dutch machines that are registered to a company that lists its address in central London. The attack highlights the flaws in router firmware, the researchers said. 'It's not new as an issue to the InfoSec community but this is one of the biggest we've seen recently as it's quite insidious,' Cymru's Steve Santorelli said, adding the hack could let the attackers conduct man in the middle attacks, impersonating your bank, for example."

12 of 105 comments (clear)

Min score:

Reason:

Sort:

Re:Impersonating a bank is easy by rebelwarlock · 2014-03-03 17:28 · Score: 4, Funny

That's forming a bank, not impersonating one.
Exploit, or dumb users? by DigiShaman · 2014-03-03 17:34 · Score: 3, Interesting

And just how are these 300,000+ routers being reprogrammed to use alternate malicious DNS settings? Is this conducted via some common firmware exploit, or dumb users leaving default admin password in place?

--
Life is not for the lazy.
1. Re:Exploit, or dumb users? by EmperorArthur · 2014-03-03 17:41 · Score: 4, Interesting
  
  And just how are these 300,000+ routers being reprogrammed to use alternate malicious DNS settings? Is this conducted via some common firmware exploit, or dumb users leaving default admin password in place?
  Either is quite possible, though default password issues require that a PC on the LAN already be infected.
  Newer routers, especially the router/modem combo units, seem to have a randomly generated password that's printed on the device label. They also tend to come with WPA2 turned on with another randomly generated password that's also on the label. Proof that you can make devices more secure by default.
  
  --
  So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
2. Re:Exploit, or dumb users? by Todd+Knarr · 2014-03-03 17:53 · Score: 4, Informative
  
  Some had the management UI accessible from the Internet, letting botnets probe routers and try common passwords directly (consumer routers have poor intrusion-reporting capabilities so the attempts are likely to go unnoticed).The majority, though, had URLs that can be accessed to change settings without requiring authentication. So the bad guys set up a site that exploits cross-site scripting bugs to cause your browser to access those URLs on the router when visiting the web site. That let them change the DNS servers without needing to crack the password, and the technique works no matter how strong a password you've set. The only way to avoid it's to avoid any router whose firmware's vulnerable. If you've got a vulnerable router that's supported by DD-WRT or OpenWRT, flashing the router with them's an option. The worst case is you brick the router and have to buy a new one, which is what you'd have to do if you didn't re-flash it.
3. Re:Exploit, or dumb users? by Todd+Knarr · 2014-03-03 18:25 · Score: 4, Interesting
  
  No, as noted in the article they did not need to be logged into the router since the URLs used didn't require credentials. Yes, it's a horribly huge hole in security. Yes, it was left in undoubtably because "the only way to get to those pages is through the login page so it's secure". Yaright.
4. Re:Exploit, or dumb users? by DigiShaman · 2014-03-03 18:26 · Score: 2, Insightful
  
  Take SonicWALL for example. A business class router that forces you to create an admin password upon first setup. I'm guess other home routers also offer this ability in addition to the examples you've mentioned?
  At the risk of sounding arrogant and condescending (not trying to be), but most people should just let their ISP provide and manage firmware updates for them. That, or go with Apple Airport where firmware updates occur along with standard Apple updates. Point being, rather than the user having to hunt for the updates themselves, they should either be prompted to perform an easy update, or just let someone else manage the device for them. Normally if someone shits on their own machine, I could care less. But if their negligence causes them to shit all over the internet with malware, well that just isn't right.
  
  --
  Life is not for the lazy.
5. Re:Exploit, or dumb users? by TubeSteak · 2014-03-03 19:22 · Score: 2, Funny
  
  Is this conducted via some common firmware exploit, or dumb users leaving default admin password in place?
  FTFS: The attack highlights the flaws in router firmware
  I'll admit, I'm a weirdo.
  I read more than the headline before I comment.
  
  --
  [Fuck Beta]
  o0t!
Bank account hijacking is impossible by WaffleMonster · 2014-03-03 17:47 · Score: 2

My bank is secure!!1!!!!
Between generous application of padlock gif's designed to make me feel safe and account specific image letting me know I'm logging into my bank and not some imposter bank... it would be impossible to get hacked. They even say so on their web site.
Remember years ago feeling board and actually getting ahold of one of their "IT" guys informing him of the dangers of requesting credentials directly from a home page loaded via HTTP... His response was ... drumroll... it is posted to a secure site so the credentials are encrypted and can't be compromised.
There is no arguing with stupid or those who willfully subvert browser security features for marketing and or checking off security boxes on the compliance chart even if you (should) know better.
1. Re: Bank account hijacking is impossible by FireFury03 · 2014-03-03 20:56 · Score: 2
  
  The encrypted tunnel is created on submit, that is, you can have a login form on an http page and still submit encrypted via SSL if the forms action sends data via https.
  A non-HTTPS login page could be modified to submit the data to a different server instead of the bank's - by the time you realise, its too late. Or some JS could be embedded in the page to send the data to a third party *as well* as the bank, and you'd never spot that unless you had firebug open. The latter attack can also be carried out by embedding HTTP objects in an HTTPS page, which isn't especially visible to the end user.
  
  --
  http://blog.nexusuk.org
use opendns by invictusvoyd · 2014-03-03 18:32 · Score: 2

208.67.222.222 and 208.67.220.220
and make http://www.opendns.com/welcome/ your homepage .
Client settings should override router defaults
To be even safer use OpenWRT https://en.wikipedia.org/wiki/OpenWrt
Re: wrong by emilv · 2014-03-03 20:55 · Score: 4, Interesting

The system used by most Swedish banks:
* The bank website gives you a random number as a challenge
* You input the number to a device together with your PIN (some banks also require you to insert your card into the device)
* You get a new number from the device that you input on a web page
The web pages are obviously encrypted with HTTPS using an EV-SSL certificate.
It used to be that the challenge was an account number or an amount but that is no longer the case due to the possibility of a replay attack.
Re:So how to impersonate a bank ? by Anonymous Coward · 2014-03-04 00:34 · Score: 5, Funny

Alright wiseguy, share with us details on how to impersonate a bank then ...
https://www.mtgox.com/