Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Brazilian ISPs Hit with Large-Scale DNS Attack

Millions of people in Brazil have potentially been exposed to malware as a result of a nationwide DNS attack. Additionally, several organizations in Brazil are reporting that network devices are also under attack. After being compromised remotely, scores of routers and modems had their DNS settings altered to redirect traffic. Police have arrested a 27-year-old ISP employee who is suspected to have taken part in the attacks.

Millions of people in Brazil have potentially been exposed to malware as a result of a nationwide DNS attack. Additionally, several organizations in Brazil are reporting that network devices are also under attack. After being compromised remotely, scores of routers and modems had their DNS settings altered to redirect traffic. Police have arrested a 27-year-old ISP employee who is suspected to have taken part in the attacks.

Brazil has some 73 million Web connected computers, with the top ISPs averaging 3-4 million customers each. “If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge,” said Kaspersky’s Fabio Assolini, who detailed the DNS attack in a report.

Brazil DNS Attacks at ISPThe attacks started last week, when millions of Brazilians were faced with redirections after accessing several popular local and international portals, including Google, YouTube, Uol, Terra, Globo, and Hotmail. In one case, Kaspersky observed a clean system being redirected from Google.com.br, to another destination after being told to install “Google Defence.”

“It asks the customer to download and install the so-called ‘Google Defence’ software required to use the search engine. In reality, though, this file is a Trojan banker detected by Kaspersky’s heuristic engine. Research into this IP highlighted several malicious files and exploits hosted there,” Assolini added.

From monitoring its install base, Kaspersky noted 800 attempts to access the malicious server, which were thwarted by its security measures. The exact number of victims in this DNS attack are unknown, however.

Across the country, organizations are reporting that network devices were compromised and had their DNS settings changed to join the existing DNS attack. In those cases, when employees of the affected companies tried to open any website they were requested to execute a malicious Java applet, which installed the same malware as Google Defense.

“We advise all affected users to update antivirus and all software in the computer (such as Java), also change the DNS configuration to other providers (such as Google DNS). In attacks against network devices we also recommend updating the firmware of the router and changing the default passwords,” Assolini explained.

While the DNS attacks rampaged, Brazil’s Federal Police arrested a 27-year-old who was an employee of a medium-sized ISP in the southern part of the country.

“Brazil has long had issues like this with various actors attacking the DNS infrastructure to plant malware. These are typically not “classic” cache-poisoning attacks done with botnets in a Kaminsky-style attack. Rather, they are much more straight forward as Assolini’s report implies,” Rod Rasmussen, President and CTO of IID told SecurityWeek.

Advertisement. Scroll to continue reading.

“Someone at an ISP is complicit, there are default passwords on servers or known vulnerabilities on various premise equipment that criminals can then use to crack them,” Rasmussen added. “Once they have access, they simply add bogus entries for lots of common domains to redirect users behind that equipment to the wrong site.”

It’s said that over a ten month period, the man arrested altered the DNS cache of his employer, which in turn directed all of its customers to the malicious server handing out the banking malware. Kaspersky suspects that similar internal compromises are happening across Brazil.

“Brazil has always stood a bit apart from the rest of the world in the way cyber-criminals operate and attack. Often times they precede other areas of the world by pioneering new techniques. For example, heavy use of malware tied to phishing was seen in Brazil for a couple years before it became popular elsewhere. Is this rash of DNS-based attacks a harbinger of things to come worldwide? Given the high effectiveness of the techniques, I would unfortunately predict that it is likely,” Rasmussen concluded.

Related Reading: Trouble Ahead – The Implementation Challenges for DNSSEC

Related Reading: Deploying DNSSEC – Four Ways to Prepare Your Enterprise for DNSSEC

Related Reading: Five Strategies for Flawless DNSSEC Key Management and Rollover

Related Reading: The Missing Ingredients for DNSSEC Success

Related Reading: Do Recent BGP Anomalies Shed a Light on What’s to Come?

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.