Well this is just peachy – cybercriminals are actively using a malvertising campaign that infects routers and even Android devices. If the router is pwned, then every device connected to that router is pwned.
Proofpoint researchers warned that cyber thugs are using a new and improved version of the DNSChanger exploit kit (EK) for this malvertising campaign.
Generally, malvertising involves an attacker injecting malware into ads which can infect via browsers and attack a victim’s computer after simply visiting an affected page. Earlier this year, people were hit with malvertising just by visiting popular high-profile sites such as The New York Times, The Hill, MSN, BBC, NFL, AOL, Newsweek and my.xfinity.com. But this time, the malvertising exploit kit is aimed at routers.
Proofpoint reported:
DNSChanger attacks internet routers via potential victims’ web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims' home or small office (SOHO) routers. Most often, DNSChanger works through the Chrome browser on Windows desktops and Android devices. However, once routers are compromised, all users connecting to the router, regardless of their operating system or browser, are vulnerable to attack and further malvertising.
For this campaign, cyber-savvy crooks purchase ads on legitimate sites and stuff them with malicious JavaScript. The nasty JavaScript sends a WebRTC (Real-Time Communications) request to a Mozilla STUN server, which can detect a victim’s local IP address.
If the attackers already know that IP, or if it is not one in the targeted ranges, then the victim is served a legitimate ad while the attackers go after the next victim.
Otherwise, an infected fake ad is displayed which contains code that redirects the victim to the DNSChanger EK. After the IP address is again checked, then the researchers said the exploit kit “loads multiple functions and an AES key concealed with steganography in a small image.”
Those functions include fingerprinting so that the victim’s browser reports back on what router is being used and pushing out instructions to attack the router. Currently, this malvertising campaign is using 166 router fingerprints. If an exploit is not known, the attack tries default credentials; otherwise, known exploits are used to change DNS entries and make administration ports remotely accessible. Doing so opens the router to further attacks such as by Mirai botnets.
Proofpoint wrote, “We were able to confirm that the attack is carried out properly on Google Chrome for Windows as well as for Android.”
If you’d like the whole big picture of this malvertising campaign, Proofpoint came up with a graphic which shows the complete attack chain.
Proofpoint While you might like to know what routers are on the hitlist, the researchers don’t yet have a “definitive list of affected routers.” They did see attacks successfully opening administration ports on 36 router models. They know the following routers are definitely vulnerable:
- D-Link DSL-2740R
- COMTREND ADSL Router CT-5367 C01_R12
- NetGear WNDR3400v3 (and likely other models in this series)
- Pirelli ADSL2/2+ Wireless Router P.DGA4001N
- Netgear R6200
They had not yet seen evidence of the exploit kit going after the remotely exploitable Netgear routers which US-CERT originally said to stop using, then modified the advice to disable the web server, or the confirmed list of vulnerable routers compiled by Netgear.
“In many cases, simply disabling remote administration on SOHO routers can improve their security,” Proofpoint wrote. “In this case, though, attackers use either a wired or wireless connection from a device on the network. As a result, the attackers do not need the remote administration to be turned on to successfully change the router settings.”
Although there’s no simple way to protect against this malvertising campaign, the researchers advised applying the latest router firmware updates to avoid exploits. Other suggestions included changing the default local IP range or using ad-blocking browser add-ons.