Massive campaign uses router exploit kit to change routers’ DNS servers

Well-known security researcher Kafeine has spotted an active campaign aimed at compromising SOHO routers and changing their DNS settings so that the attackers can seamlessly redirect users to phishing sites, hijack their search queries, intercept their traffic, and more.

This particular campaign apparently targets only users of Google’s Chrome browser and ignores others. Chrome users who visit a compromised website are redirected to a site that serves cross-site request forgery (CSRF) code that determines which router model the victims use.

Depending on that information, an exploit for one of several vulnerabilities – CVE-2015-1187, CVE-2008-1244, or CVE-2013-2645 – is served, or several sets of common administrative credentials are tried, all with the aim to access the router’s administration interface.

Many routers’ web-based administration interfaces are made inaccessible from the Internet (remote management has been disabled), but accessible from the local network, i.e. from the user’s browser.

CSRF attacks exploit the trust that a site has in a user’s browser. In this case, the browser is made to execute malicious actions on the router’s web administration interface.

This campaign is able to compromise over 55 router models sold by Asus, Belkin, D-Link, Linksys, Netgear, Zyxel and several other manufacturers.

The routers’ DNS settings are changed to point to a DNS server controlled by attackers, with Google’s public DNS server as the secondary, fallback one. This way, if the first one is temporarily inaccessible, the victims’ requests will still be resolved and they won’t notice the compromise.

The campaign has been going on for over a month, and millions of devices from around the world have potentially been affected. It all depends on the effectiveness of the exploits: a fix for CVE-2015-1187 has been released earlier this year, but it’s unlikely that many users have implemented the patch.

The other two vulnerabilities are older and patches for them have been available for years, but many users don’t know how to update their router’s firmware (routers don’t have automatic firmware updating), or are aware of the fact that they should do it.