Ongoing DNS hijacking campaign targeting consumer routers

Over the last three months, our honeypots have detected DNS hijacking attacks targeting various types of consumer routers. All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.

First wave – December 29, 2018

The first DNS hijacking exploit attempts targeted multiple models of D-Link DSL modems, including:

The IP address of rogue DNS server used in this attack was 66.70.173.48 and hosted by OVH Canada.

Second wave – February 6, 2019

This wave targeted the same types of D-Link modems listed above. The rogue DNS server, 144.217.191.145, was again hosted by OVH Canada.

As Twitter user “parseword” noted, the majority of the DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082).

Third wave – March 26, 2019

The latest wave of attacks came from three distinct Google Cloud Platform hosts and targeted additional types of consumer routers not previously seen before including: ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.

DNS hijacking exploit attempts

The rogue DNS servers used in this round, 195.128.126.165 and 195.128.124.131, are both hosted in Russia by Inoventica Services. Internet access is provided by their subsidiary Garant-Park-Internet Ltd (AS47196).

Compromised D-Link DSL-2640 router with DNS servers set to rouge DNS server.
Example compromised D-Link DSL-2640B router with DNS servers set to rouge DNS servers used in this campaign.

In all three waves, a recon scan was done using Masscan to check for active hosts on port 81/tcp prior to attempting the DNS hijacking exploits.

How many targeted devices are vulnerable?

Establishing a definitive total of vulnerable devices would require us to employ the same tactics used by the threat actors in this campaign. Obviously this won’t be done, however we can catalog how many are exposing at least one service to the public internet via data provided by BinaryEdge:

D-Link DSL-2640B – 14,327
D-Link DSL-2740R – 379
D-Link DSL-2780B – 0
D-Link DSL-526B – 7
ARG-W4 ADSL routers – 0
DSLink 260E routers – 7
Secutech routers – 17
TOTOLINK routers – 2,265

Why are DNS hijacking attacks conducted?

As we saw in years past with DNSChanger malware raking in $14 million, advertising-related fraud is still very lucrative for cybercriminals. Other researchers have noted domain parking remains a booming business often tied to illicit activities.

DNS hijacking is also used for phishing attacks which are largely transparent to users. In this case, the domain name of the targeted site is redirected by the rogue DNS server to a web server controlled by the threat actor. A recent DNS hijacking campaign targeting Brazilian banks was documented by Radware researchers.

Why was Google Cloud Platform used?

Being a large cloud service provider, dealing with abuse is an ongoing process for Google. However unlike their competitors, Google makes it very easy for a miscreants to abuse their platform.

Anyone with a Google account can access a “Google Cloud Shell” machine by simply visiting this URL. This service provides users with the equivalent of a Linux VPS with root privileges directly in a web browser. Due to the ephemeral nature of these virtual machines coupled with Google’s slow response time to abuse reports, it’s difficult to prevent this kind of malicious behavior.

IOCs

Exploit Attempt Source IPs
35.190.238.77
35.221.201.149
35.229.230.36
35.221.98.121
35.235.106.76
35.240.128.42
35.190.195.236

Rogue DNS Servers
66.70.173.48
144.217.191.145
195.128.126.165
195.128.124.131

Exploit Attempts
/action?dns_status=1&dns_poll_timeout=2&id=57&dns_server_ip_1=195&dns_server_ip_2=128&dns_server_ip_3=126&dns_server_ip_4=165&priority=1&cmdadd=add
/boafrm/formbasetcpipsetup?dnsmode=dnsmanual&dns1=195.128.126.165&dns2=195.128.124.131&dns3=195.128.124.131&dnsrefresh=1
/dnscfg.cgi?dnsPrimary=195.128.126.165&dnsSecondary=195.128.124.131&dnsDynamic=0&dnsRefresh=1
/form2dns.cgi?dnsmode=1&dns1=195.128.126.165&dns2=195.128.124.131&dns3=&submit.htm?dns.htm=send&save=apply
/wan_dns.asp?go=wan_dns.asp&reboottag=&dsen=1&dnsen=on&ds1=195.128.126.165&ds2=195.128.124.131
/dnscfg.cgi?dnsPrimary=144.217.191.145&dnsSecondary=144.217.191.145&dnsDynamic=0&dnsRefresh=1
/dnscfg.cgi?dnsPrimary=66.70.173.48&dnsSecondary=66.70.173.48&dnsDynamic=0&dnsRefresh=1

Closing Remarks

In general, we recommend users to keep their home router firmware up-to-date. When security vulnerabilities are discovered, they are usually patched by the manufacturer to mitigate further attacks. It’s also advisable to review your router’s DNS settings to ensure they haven’t been tampered with. Typically your DNS servers should be set to the ones provided by your ISP or well-known public DNS resolvers.

As always, follow us on Twitter for latest emerging threats and botnet trends.

Update 2019-04-05:

Ixia researchers posted their findings on the DNS hijacking attacks originating from Google Cloud Platform. They found sites targeted for phishing included Netflix, PayPal, Uber, Gmail, and more.

They’ve also identified additional rogue DNS servers, again hosted by Inoventica Services in Russia:
195.128.124.150
195.128.124.181

A Google spokesperson provided the following statement to Ars Technica in regards to the abuse of Google Cloud Platform to conduct the DNS hijacking attacks:

Google response to abuse of their platform

3 Replies to “Ongoing DNS hijacking campaign targeting consumer routers”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.