Malvertising Campaign Infects Your Router Instead of Your Browser

An anonymous reader quotes a report from BleepingComputer: Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Unlike previous malvertising campaigns that targeted users of old Flash or Internet Explorer versions, this campaign focused on Chrome users, on both desktop and mobile devices. The malicious ads included in this malvertising campaign contain exploit code for 166 router models, which allow attackers to take over the device and insert ads on websites that didn't feature ads, or replace original ads with the attackers' own. Researchers haven't yet managed to determine an exact list of affected router models, but some of the brands targeted by the attackers include Linksys, Netgear, D-Link, Comtrend, Pirelli, and Zyxel. Because the attack is carried out via the user's browser, using strong router passwords or disabling the administration interface is not enough. The only way users can stay safe is if they update their router's firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by this campaign. The "campaign" is called DNSChanger EK and works when attackers buy ads on legitimate websites and insert malicious JavaScript in these ads, "which use a WebRTC request to a Mozilla STUN server to determine the user's local IP address," according to BleepingComputer. "Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on. For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins. The next step is for the attackers to send an image file to the user's browser, which contains an AES (encryption algorithm) key embedded inside the photo using the technique of steganography. The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers."

WebRTC

[Motherfucking+Shit]

which use a WebRTC request to a Mozilla STUN server to determine the user's local IP address

Yay, more garbage Web 3.0 anti-features! In Firefox, go to about:config and set these preferences:

media.peerconnection.enabled = false
media.peerconnection.video.enabled = false
media.peerconnection.turn.disable = true
media.peerconnection.use_document_iceservers = false

Summary is misleading

Because the attack is carried out via the user's browser, using strong router passwords or disabling the administration interface is not enough. The only way users can stay safe is if they update their router's firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by this campaign.

Apparently anonymous reader didn't read the actual article, where it says:

The exploit packages contain vulnerabilities or list of hardcoded admin credentials that can allow the crooks to control the victim's local router.

Updating your firmware will not help with this. It is an issue of admin passwords being left at the default on 99.99% of routers. The admin password is used to change DNS settings on the router, which allows the attackers to redirect any traffic they want.