A recently observed malvertising campaign is focused on compromising user’s home routers rather than exploiting vulnerabilities in their browsers.
Carried out by the actors behind the DNSChanger exploit kit (EK), the campaign doesn’t target browser or device vulnerabilities, but attempts to infect home or small office (SOHO) routers instead. The attackers use an improved version of the DNSChanger, which usually works through the Chrome browser on Windows desktops and Android devices, Proofpoint security researchers reveal.
Once the targeted router has been compromised, however, users are exposed to further malvertising, regardless of the device, operating system, or browser they use. The security researchers also note that the attacks on routers happen in waves likely associated with ongoing malvertising campaigns lasting several days, and they appear related to the “CSRF (Cross-Site Request Forgery) Soho Pharming” operations in the first half of 2015.
Compared to the previous attacks, however, the new campaigns show improvements such as the use of external DNS resolution for internal addresses. The attackers also use steganography to conceal an AES key to decrypt the list of fingerprints / default credentials and local resolutions, as well as the layout for the commands sent to attack the targeted routers.
The campaign has grown from 55 fingerprints last year to 166, some of which are working for several router models, and the malvertising chain is now accepting Android devices as well, the security researchers explain. What’s more, the EK was observed changing network rules to make the administration ports available from external addresses, thus opening the door to additional attacks, including those perpetrated by Mirai botnets, Proofpoint has discovered.
The attacks begin with a malicious advertisement hosted on a legitimate website, unknowingly distributed via legitimate ad agencies. Targeting both desktop and mobile users, the malvertising sends traffic to the DNSChanger EK, which users webRTC to request a STUN server and determine the victim’s local IP address, as the attack is carried out only if the IP isn’t known or is in a targeted range, otherwise the victim is directed to a legitimate advertisement from a third party ad agency.
However, if the required conditions are met, a fake ad is displayed, and JavaScript code is used to extract HTML code from a PNG file, redirecting victims to the landing page of DNSChanger. The EK once again checks the IP address, then loads multiple functions and an AES key concealed with steganography in a small image. Next, the browser is used to locate and identify the router used in the network.
The router model detected during the reconnaissance phase dictates the attack, as the EK would attempt to use default credentials if there is no known exploit for that specific model. Otherwise, it would attempt to modify the DNS entries in the router and, when possible, to make administration ports available from external addresses, to expose the router to additional attacks.
The main goal of this attack, the security researchers say, is to steal traffic from some large web ad agencies including Propellerads, Popcash, Taboola, OutBrain, and AdSuppy.
The Proofpoint researchers also say that, while it’s difficult to provide a list of affected routers, “the most secure approach for end users is to consider that all known exploits are integrated in this kind of exploit kit, and thus all routers should be updated to the last known firmware.” Some of the newly added vulnerable models include D-Link DSL-2740R, COMTREND ADSL Router CT-5367 C01_R12, NetGear WNDR3400v3 (and likely other models in this series), Pirelli ADSL2/2+ Wireless Router P.DGA4001N, and Netgear R6200.
A zero-day exploit for the Netgear R7000, R6400 and others was revealed only recently, and Netgear has already started patching it. However, Proofpoint says that fingerprints associated with these models weren’t found in DNSChanger as of December 12, 2016. Even so, users are advised to disable the web server on affected Netgear routers, because exploits might be added soon.
“In many cases, simply disabling remote administration on SOHO routers can improve their security. In this case, though, attackers use either a wired or wireless connection from a device on the network. As a result, the attackers do not need the remote administration to be turned on to successfully change the router settings,” the security researchers say. They also suggest that ad-blocking browser add-ons could offer an additional layer of prevention when it comes to these attacks.
Related: Massive Stealthy Malvertising Campaign Uncovered
Related: RIG Replaces Neutrino in Massive Malvertising Campaigns