Attack Kit Hijacks DNS of Home and Business Routers

For the past year, attackers have been using an exploit kit that changes the DNS settings of home and small-business routers through users’ browsers.

The tool, dubbed Novidade, was first used in Brazil in August 2017, but researchers from antivirus firm Trend Micro have identified multiple variants since then and have also observed attack campaigns in other regions of the world.

“One possibility is that the exploit kit tool was either sold to multiple groups or the source code was leaked, allowing threat actors to use the kit or create their own variations,” the Trend Micro researchers said in a blog post. “Most of the campaigns we discovered used phishing attacks to retrieve banking credentials in Brazil. However, we also recently found campaigns with no specific target geolocation, suggesting that either the attackers are expanding their target areas or a larger number of threat actors are using it.”

Novidade executes cross-site request forgery (CSRF) attacks that force the browser of a website visitor to execute some action on another website where the user is already authenticated—in this case, their local router’s web-based administration interface.

Preventing such attacks typically is done by adding a unique, random token to every page that has to accompany any request sent by the user. A remote website cannot read this token from the user’s browser, so it won’t be able to construct legitimate requests. Unfortunately, the web interfaces of SOHO routers generally lack such CSRF defenses.

Attackers inject the Novidade exploit into malicious advertisements, compromised websites or attack pages distributed through instant messaging applications. When users visit these pages, the tool will start probing LAN addresses commonly used by routers through their browsers and, if it receives a response, it will attempt to login using default usernames and passwords and then change the router’s DNS settings using a CSRF technique.

Routers typically resolve DNS requests sent by all computers on a local network by forwarding them to the DNS servers configured in its settings. If those servers are controlled by attackers, they can respond to users’ requests with rogue IP addresses and direct them to fake websites when they try to access legitimate ones.

The Novidade campaigns observed so far directed users to fake bank websites in an attempt to steal online banking credentials. However, the same technique can be applied to phish any type of credential if the targeted website doesn’t use HTTP Strict Transport Security (HSTS).

The researchers have observed three variants of Novidade, each with improvements over the previous ones. The third version, which was observed in October, added victim tracking and a method of obtaining the victim’s LAN IP address by using WebRTC and STUN servers.

The attack kit has exploits for router models from different manufacturers, including, but not limited to: A-Link WL54AP3 / WL54AP2, D-Link DSL-2740R, D-Link DIR 905L Medialink MWN-WAPR300, Motorola SBG6580, Realtron, Roteador GWR-120, Secutech RiS-11/RiS-22/RiS-33, TP-Link TL-WR340G / TL-WR340GD and TP-Link WR1043ND V1.

“To defend against exploit kits like Novidade, we recommend that users always upgrade their device’s firmware to the latest version,” the Trend Micro researchers said. “Default usernames and passwords are a highly common gateway for exploits, thus it is also important to use strong passwords on all user accounts. It is also recommended to change the router’s default IP address, as well as disable remote access features to minimize the chances for an attacker to externally manipulate the device. Finally, users should always use secure web connections (HTTPS) to access sensitive websites to prevent pharming attacks.”

Adobe Drops One of the Largest Reader and Acrobat Security Updates Ever

On Patch Tuesday, Adobe Systems released security updates for its Reader and Acrobat products, fixing 86 vulnerabilities, an unusually large number compared to the company’s previous patches.

Of the fixed flaws, 39 are rated critical and can lead to arbitrary code execution and the rest are rated important and can lead to information disclosure—typically memory information. Information disclosure flaws can be combined with arbitrary execution ones to build exploit chains that can bypass anti-exploit defenses such as memory randomization.

A large percentage of the vulnerabilities have been reported through Trend Micro’s Zero Day Initiative (ZDI), either by researchers working directly for the company or by third-party researchers who submitted their findings through the ZDI program.

Users are advised to upgrade to Adobe Acrobat and Reader DC version 2019.010.20064, if they are on the Continuous track, to Acrobat and Reader DC 2017.011.30110, if they are on the Classic 2017 track, or to Acrobat and Reader DC 2015.006.30461, if they are on the Classic 2015 track.

Featured eBook
The Second Wave of IT Security: How Today’s Leaders See the Future

The Second Wave of IT Security: How Today’s Leaders See the Future

As network security issues grew in the 1970s, and the 1980s brought the widespread use of the internet, the IT security profession expanded to address the malicious threats and innocent user mistakes of highly connected users and machines. Today, the security industry is experiencing what could be called a renaissance of sorts. Security professionals are ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin