70+ Different Types Of Home Routers (All Together 100,000+) Are Being Hijacked By GhostDNS (Sep 29, 2018)
Researchers from 360 Netlab have found a DNS Changer campaign, dubbed “GhostDNS,” targeting home routers in Brazil. The attack is believed to have affected over 100,000 router IP addresses, over 70,000 routers, and more than 50,000 domain names in Brazil to steal login credentials. GhostDNS attempts to brute force the password on the target router’s web authentication page to change the default DNS address to the unknown threat actor’s Rogue DNS. The GhostDNS system contains four parts: DNS Changer module, Phishing Web module, Web Admin module, and the Rogue DNS module. The DNS Changer module is the main module of GhostDNS and is responsible for information collection and exploitation. It obtains the passwords for the web authentication of the home routers to change the default DNS address to the Rogue DNS server. The Rogue DNS server has been observed to have targeted at least 52 domains, including Brazilian banks, cloud hosting services, and even a security company named Avira. The targeted domains are resolved to redirect users to a phishing webpage. Victims who access those domains will be sent to malicious phishing sites instead of the intended domain.
Recommendation: Researchers at 360 Netlab suggest people, specifically those located in Brazil, update their router systems, check to see if the router's default DNS server is changed and set complicated passwords for their router web portal that is different than the default password. Router vendors should create more complex default passwords for the home routers, as well as improve the system’s security update mechanism.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.