Hacker Group Has Been Hijacking DNS Traffic On D-Link Routers For Three Months [Update] (zdnet.com)

← Back to Stories (view on slashdot.org)

Hacker Group Has Been Hijacking DNS Traffic On D-Link Routers For Three Months [Update] (zdnet.com)

Posted by BeauHD on Friday April 5, 2019 @01:00AM from the behind-the-scenes dept.

An anonymous reader quotes a report from ZDNet: For the past three months, a cybercrime group has been hacking into home routers -- mostly D-Link models -- to change DNS server settings and hijack traffic meant for legitimate sites and redirect it to malicious clones. The attackers operate by using well-known exploits in router firmware to hack into vulnerable devices and make silent changes to the router's DNS configuration, changes that most users won't ever notice. Targeted routers include the following models (the number to the side of each model lists the number of internet-exposed routers, as seen by the BinaryEdge search engine): D-Link DSL-2640B - 14,327; D-Link DSL-2740R - 379; D-Link DSL-2780B - 0; D-Link DSL-526B - 7; ARG-W4 ADSL routers - 0; DSLink 260E routers - 7; Secutech routers - 17; and TOTOLINK routers - 2,265.

Troy Mursch, founder and security researcher at internet monitoring firm Bad Packets, said he detected three distinct waves during which hackers have launched attacks to poison routers' DNS settings --late December 2018, early February 2019, and late March 2019. Attacks are still ongoing, he said today in a report about these attacks. A normal attack would look like this:

1. User's computer or smartphone receives wrong DNS server settings from the hacked router.
2. User tries to access legitimate site.
3. User's device makes a DNS request to the malicious DNS server.
4. Rogue server returns an incorrect IP address for the legitimate site.
5. User lands on a clone of the legitimate site, where he might be required to log in and share his password with the attackers. Update: 04/05 16:45 GMT by M : The story adds, "According to Stefan Tanase, security researcher at Ixia, these campaigns have hijacked traffic meant for Netflix, Google,PayPal, and some Brazilian banks, and have redirected users to clone sites, hosted over HTTP, on the networks of known bulletproof hosting providers."

40 comments

Min score:

Reason:

Sort:

Is That So Wrong? by Anonymous Coward · 2019-04-05 01:04 · Score: -1

It's D-Link. And TOTO for Christ's sake! How can that be wrong?
Whitelist DNS on your router by The-Ixian · 2019-04-05 01:12 · Score: -1

Routers should only allow DNS queries to DNS servers they are configured to use.
I do this manually on the routers I maintain by blocking all DNS requests and then only allowing the DNS servers that are authorized.
This is basic security.

--
My eyes reflect the stars and a smile lights up my face.
1. Re:Whitelist DNS on your router by Anonymous Coward · 2019-04-05 01:27 · Score: 5, Informative
  
  But these routers were hacked
  Did you not even read the summary?
2. Re: Whitelist DNS on your router by Anonymous Coward · 2019-04-05 01:32 · Score: 2, Insightful
  
  He didn't even read the topic title.
3. Re:Whitelist DNS on your router by Anonymous Coward · 2019-04-05 01:32 · Score: 1
  
  This is basic security.
  No, it is security theater. The router is the firewall. If the router is hacked to change the upstream DNS servers, then the attacker can also disable your firewall rules. Your firewall rules probably also prevent devices from using more secure resolvers with DNSSEC support. A network where I can't reach DNS servers of my choosing is always highly suspect.
4. Re:Whitelist DNS on your router by Anonymous Coward · 2019-04-05 03:27 · Score: 0
  
  Those attacked lacked even basic IT skills and would not be able to follow your advice. At best routers should come with better default settings, like no remote access and basic firewall rules turned on.
Take our browser certificate warnings... by Anonymous Coward · 2019-04-05 01:13 · Score: 5, Informative

very seriously folks.
That is all.
1. Re:Take our browser certificate warnings... by Opportunist · 2019-04-05 01:42 · Score: 0
  
  Why did you post this as an AC? Now people will ignore it and not read the ONLY sensible comment one could make here.
  What many people forget is that the whole https thing is not just about encrypting traffic. It's at the very least as much about verifying who you're talking to. This is a perfect example of why this should not even be an issue, but is because people got used to clicking on the "trust it anyway" button.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:Take our browser certificate warnings... by Anonymous Coward · 2019-04-05 03:36 · Score: 1
  
  Why did you post this as an AC?
  Why did you reply if you could have moderated the comment up? Now people won't see the ONLY sensible comment because you wanted to complain rather than help.
3. Re:Take our browser certificate warnings... by Anonymous Coward · 2019-04-05 08:43 · Score: 0
  
  Yes, but...
  All SSL certs require for the 'trust it anyway' thing not to happen, is:
  1) You owning a domain name
  2) Someone buying a cert for it.
  That's it.
  All that one can realistically trust, is that you're encrypted to some machine, some where.
  In the "old days", SSL certs (and you can still get this type) required manual verification, including verifying government corporate records, with a lookup/validation via ancillary sources. Now, any Tom, Dick and Harry can have an SSL cert, just because their email address works.
  Not to mention, with all these sub-sub-sub SSL resellers, who even knows what happens.
  It's literally a joke. The only way to be 100% sure, is if you look at the cert every time -- after verifying the first time it's the right cert.
  You ever do that? No. No one does.
D-Link? by Anonymous Coward · 2019-04-05 01:15 · Score: 0

More like Pee-Link.
For those that didn't rtfm by BringsApples · 2019-04-05 01:53 · Score: 4, Informative

The poisoned DNS servers:
66.70.173.48
144.217.191.145
195.128.126.165
195.128.124.131

--
Politics; n. : A religion whereby man is god.
1. Re:For those that didn't rtfm by Anonymous Coward · 2019-04-05 02:34 · Score: 1
  
  Why don't we just DoS them to death?
2. Re:For those that didn't rtfm by Anonymous Coward · 2019-04-05 03:33 · Score: 0
  
  Thanks bro. Should have been in the summary. You the real MVP.
What geo-areas are most affected? by Anonymous Coward · 2019-04-05 02:08 · Score: 0

Are there particular ISPs or countries more affected?
1. Re:What geo-areas are most affected? by Anonymous Coward · 2019-04-05 03:41 · Score: 0
  
  I once had a modem that, when DNS addys were (re)-set to some known goods would revert to an address in Dubai. And Google. Safe!
OpenWRT by jeromef · 2019-04-05 02:18 · Score: 1

I use OpenWRT on my router, so I'm not concerned. Even more so, since my router is a Linksys ;-)
Probably really marketers by WCMI92 · 2019-04-05 02:43 · Score: -1, Troll

Or Russians. Or democrats.
Ner do wells who need to be in prison forever.

--
Corporatism != Free Market
1. Re:Probably really marketers by Anonymous Coward · 2019-04-05 03:11 · Score: 0
  
  I for one would sooner vote for a Russian than a democrat.
2. Re: Probably really marketers by Anonymous Coward · 2019-04-05 03:22 · Score: 0
  
  That is because you, like most Russian men, are likely a loser drunk and a cocksucking degenerate.
3. Re: Probably really marketers by Anonymous Coward · 2019-04-05 04:40 · Score: 0
  
  That is because you, like most Russian men, are likely a loser drunk and a cocksucking degenerate.
  Cocksucking men almost invariably fall into the Democrat camp. I've yet to meet a queer guy who votes Republican. Case in point: The left's new diversity messiah, Pete Buttsex, is running for the Democratic ticket.
4. Re: Probably really marketers by Anonymous Coward · 2019-04-05 05:37 · Score: 0
  
  Vodka bonus for you, Boris.
5. Re: Probably really marketers by Anonymous Coward · 2019-04-05 07:33 · Score: 0
  
  Vodka bonus for you, Boris.
  And a soymilk latte for you, Mr. Fanny Bandit. This fat boy is right smack dab in the middle of flyover country and you can keep your jizz gargling activities over by the coasts if you please. We're happy to keep you at a distance.
How Ironic! by Grand+Facade · 2019-04-05 03:07 · Score: 1

Secutech routers
Based on not so secure technology

--
Rick B.
Do not trust default firmware by Anonymous Coward · 2019-04-05 03:16 · Score: 0

I recently dumped a damn reliable asus router (n56u) after they stopped updating it and decided to go with a router that supported openwrt simply because of the huge amount of router based hacks recently.
You simply CANNOT trust the default firmware in routers any longer
1. Re:Do not trust default firmware by Fuzi719 · 2019-04-05 03:36 · Score: 2
  
  You can't expect a company, or anyone, to continue to support such an old device. Asuswrt-Merlin supports a wide range of Asus models, but they also stopped updating the n56u because the hardware is simply not up to modern standards anymore. I enjoy the support I get for my RT-AC87U from Asuswrt-Merlin.
2. Re:Do not trust default firmware by Anonymous Coward · 2019-04-05 22:40 · Score: 1
  
  You can't expect a company, or anyone, to continue to support such an old device. Asuswrt-Merlin supports a wide range of Asus models, but they also stopped updating the n56u because the hardware is simply not up to modern standards anymore. I enjoy the support I get for my RT-AC87U from Asuswrt-Merlin.
  How do you define old? Asus doesn't.
  Merlin has had to stop supporting even some 802.11ac routers not because they're too old but because Asus arbitrarily stopped updating the routers' closed source components that he depends upon, turning the hardware into e-waste the next time a serious vulnerability comes around. Asus could do the same with your router next.
  I agree with the grandparent poster that open source routers are the way to go. Or at the least you want a committed support lifetime.
Use OpenWRT by gweihir · 2019-04-05 03:34 · Score: 1

Seriously, the commercial stuff is, as usual, cheapest possible. There is no risk to them usually (for a counter-example, see Boeing at the moment, but even mass-murder will likely let then get away with a slap on the wrist), so security is not a concern. Because security costs money and usually is quite invisible to the customer. Add to that that customers are stupid and will buy the same brands again that just screwed them over, and the situation is explained nicely.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Hosts files protect vs. router DNS redirect by Anonymous Coward · 2019-04-05 04:48 · Score: 0

Hosts files protect vs. router DNS redirect (@ router level, @ IP stack level as in DNSChanger malware OR if remote DNS is redirect poisoned (kaminsky flaw)) by doing hardcoded favorite sites where you spend MOST time online @!
This assures you of reaching the proper destination/site you intended to reach (not a malicious doppleganger) & to verify addresses you use you can test on another system (prefereably one on a diff. ISP than you use @ home, say a work one OR a pal's system, to verify hardcodes).
For the BEST such hosts file, multithreaded & multiplatform:
APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p
APK Hosts File Engine 10++ SR-1 32/64-bit for Windows https://hosts-file.net/?s=Down...
APK
P.S.=> You also RESOLVE FASTER this way, by FAR as well as being safer vs. such exploits (double-bonus!)... apk
1. Re: Hosts files protect vs. router DNS redirect by Anonymous Coward · 2019-04-05 05:33 · Score: 0
  
  Your "hardcoded" sites are a complete joke and don't really provide much protection at all, especially because only IE/Edge actually use hosts when resolving IPs. Have fun having more of your shitposts deleted. At least you're done spamming about your MacOS crap.
FACT: IP stack is being subverted (dumb) by Anonymous Coward · 2019-04-05 05:41 · Score: 0

FACT: Then browsers are subverting a proven for almost 50 yr. working IP stack design! This is EASY to FIX (since it's stupid usermode complexity for breakdown/exploit & inefficient + WHY):
Especially the redundant WASTE & in SLOWER usermode!
DUMB again for another thing!
Why subvert a FASTER kernelmode native TCP/IP stack w/ 45++ yrs. of refinement in it that WORKS or even systemd/launchd already doing that in a Windows-like slower usermode dnscache client (busted on larger hosts files & other security issues too).
Easy to get around though via:
FF about:config
network.dnsCacheEntries 0
network.trr.mode to 5 (SHUTS IT OFF)
network.trr.uri (set to 208.67.222.222)
Chrome also has a way to turn this off, just turn "Data Saver" off (credit green1 https://tech.slashdot.org/comm... )
APK
P.S.=> Each of which is another ALSO DUMBO thing to do vs. hosts cached in PURE KERNELMODE (diskcache subsystems + the IP stack itself hosts is part of)... apk
Nothing I do is EVER a joke: What I do works by Anonymous Coward · 2019-04-05 05:47 · Score: 0

Nothing I do is EVER a joke: What I do works vs. threats: US DHS issues DNS redirect is HUGE danger (not w/ hosts vs.) https://threatpost.com/gov-war... & ICANN ISSUES SAME WARNING https://tech.slashdot.org/stor...
* Now, "shoo, lil' troll"...
(Hosts DO protect you vs. that threat & IP stack DNSChanger resets & YES, poisoned routers (since YOU make the requests hardcoded in hosts, avoiding DNS issues in security & slower resolutions).
APK
P.S.=> Between THIS reply to you & my other one here https://it.slashdot.org/commen... I put you away easily (OR are you telling us SLOWER, buggy, INEFFICIENT usermode COMPLEXITY is good engineering? It's not - GOOD engineering is SIMPLE & EFFECTIVE - not complexity for worse performance, resource waste & EXPLOITATION in more moving parts to breakdown OR exploit)... apk
1. Re:Nothing I do is EVER a joke: What I do works by Anonymous Coward · 2019-04-05 05:57 · Score: 0
  
  When updating your list, do you actively check changed IPs for changes in e.g. AS number to verify that your DNS source hasn't also been poisoned?
2 good ways to protect yourself here... apk by Anonymous Coward · 2019-04-05 06:17 · Score: 0

See subject: Make SURE your DNS you use is Kaminsky redirect poisoning patched - OpenDNS is & they filter vs. threats too, acting as another layer of defense vs. malware IF hosts don't have the protective entries (or your firewall via IP address & ranges it can block)
Plus, VICE-A-VERSA as 1 thing I've noticed - NO SINGLE SOURCE is the "ultimate 'perfect' filter"!
WHY my program uses 8 to merge together from reputable & reliable SECURITY COMMUNITY SOURCES!
I go "above & beyond" that & hit the SECURITY SITE ARTICLES DAILY (100 of them & find another 200++/day more that way too that are NOT in "std. hosts file format").
ICANN = another (not sure if they filter vs. threats like OpenDNS does, hence why I chose that one) & I KNOW the Root 13 DNS main servers ARE patched vs. kaminsky redirect poisonings too.
APK
P.S.=> 95++% of ISP DNS, to this very day, though a patch has existed since iirc, 2010, AREN'T - stupid... apk
Solutions: by Anonymous Coward · 2019-04-05 07:45 · Score: 0

1) Never use a router with stock firmware. Use Tomato, OpenWRT, etc.
2) Change default passwords and make them strong.
3) Change DNS to use DNSSEC and verify server certs before using them
4) Redirect all DNS queries from LAN to your router (use IPTables)
5) drop all from WAN (make it air-tight)
It's worth understanding the above if you want adequate security.
DLinks are flaky by hindumagic · 2019-04-05 11:33 · Score: 1

I've had several DLink products over the years, both personally and professionally, and don't recommend them. From switches dying prematurely with cheap, noisy fans to consumer routers turning into doorstops. And this is just the hardware, let alone the firmware that has a nice interface but turns out to be buggy.
Their only claim to fame was the venerable WRT54G, which was one of the first (if not the first) router that wonderful people created custom firmware for that brought some great features to a consumer grade product. I still have one kicking around somewhere. ...but I'm sure that everyone here knows what I'm talking about.
1. Re:DLinks are flaky by hindumagic · 2019-04-05 11:36 · Score: 1
  
  And I just realized that I screwed up and that linksys made the WRT54G. oops
2. Re:DLinks are flaky by Anonymous Coward · 2019-04-05 16:19 · Score: 0
  
  DUMBASS! (in Red's voice)
You know, while y'all are here by Anonymous Coward · 2019-04-05 13:27 · Score: 0

You could help a brother out and name some secure routers... jus' sayin'...
bulletproof hosting providers... That's the ticket by Anonymous Coward · 2019-04-05 16:12 · Score: 0

Man! That's what we all need to put this stupid censorship argument to rest once and for all!
And if we ever develop ad hoc networking, we won't have to worry about DNS. For now, keep your own cache.