Consumer routers targeted by DNS hijacking attackers

Owners of a slew of D-Link, ARGtek, DSLink, Secutech, TOTOLINK and Cisco consumer routers are urged to update their device’s firmware, lest they fall prey to ongoing DNS hijacking campaigns and device hijacking attacks.

consumer routers DNS hijacking

Targeted Cisco routers

The Cisco routers targeted are Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers.

The exploited vulnerabilities are CVE-2019-1653, CVE-2019-1652, and CVE-2019-1828.

All three are in the web-based management interface of the routers and could allow an unauthenticated, remote attacker to retrieve sensitive information, execute arbitrary commands, or access administrative credentials.

The first two have been patched unsuccessfully in the past, but Cisco has now pushed out a firmware update (v1.4.2.22) that supposedly fixes them for good.

The same security update also plugs CVE-2019-1828, a vulnerability that exists because affected devices use weak encryption algorithms for user credentials.

“An attacker could exploit this vulnerability by conducting a man-in-the-middle attack and decrypting intercepted credentials. A successful exploit could allow the attacker to gain access to an affected device with administrator privileges,” Cisco explained, and noted that its Product Security Incident Response Team (PSIRT) “is aware of the public announcement or malicious use of the vulnerability.”

The DNS hijacking campaign

The on-and-off DNS hijacking campaign has been documented by security researcher Troy Mursch of Bad Packets Report.

The campaign was effected in three bursts: the first one in December 2018, the second in February 2019 and the third in March 2019.

Throughout the various campaigns, the targeted (vulnerable) routers were:

  • D-Link DSL-2640B
  • D-Link DSL-2740R
  • D-Link DSL-2780B
  • D-Link DSL-526B
  • ARG-W4 ADSL
  • DSLink 260E
  • Secutech routers and TOTOLINK routers.

“All exploit attempts have originated from hosts on the network of Google Cloud Platform,” Mursch noted.

“Google makes it very easy for a miscreants to abuse their platform. Anyone with a Google account can access a ‘Google Cloud Shell’ machine by simply visiting this URL. This service provides users with the equivalent of a Linux VPS with root privileges directly in a web browser. Due to the ephemeral nature of these virtual machines coupled with Google’s slow response time to abuse reports, it’s difficult to prevent this kind of malicious behavior.”

The attackers’ goal was to change the target routers’ DNS settings to point to various rogue DNS servers, so that users may be redirected to malicious IPs (e.g., fake bank websites).

“In all three waves, a recon scan was done using Masscan to check for active hosts on port 81/tcp prior to attempting the DNS hijacking exploits,” Mursch added.

Owners of targeted routers are advised to check whether their router’s DNS settings have been tampered with (the rogue DNS servers used in this campaign are/were located at 66.70.173.48, 144.217.191.145, 195.128.126.165 and 195.128.124.131) and, if they have, to change them to one of the legitimate, public DNS resolvers.

Those who haven’t been affected should make sure to have the latest firmware available installed.

UPDATE (April 6, 2019, 08:25 a.m. PT):

“We have suspended the fraudulent accounts in question and are working through established protocols to identify any new ones that emerge,” a Google Cloud spokesperson told Help Net Security.

“We have processes in place to detect and remove accounts that violate our terms of service and acceptable use policy, and we take action on accounts when we detect abuse, including suspending the accounts in question. These incidents highlight the importance of practicing good security hygiene, including patching router firmware once a fix becomes available.”