Delaware, USA – December 12, 2018 – A newly discovered Novidade exploit kit attacks home and SOHO routers compromising endpoints and mobile devices connected to them. Researchers from Trend Micro described in the blog post that the exploit kit uses cross-site request forgery to change DNS settings allowing adversaries to conduct a pharming attack redirecting traffic from all devices to the IP address of their server. Like the other recent attacks on routers, this campaign started in Brazil and in the short term expanded its targeted areas. Most of the attacks conducted to steal banking credentials by redirecting users to attackers’ websites. Thus, when users try to access targeted banks, their traffic is redirected to cloned versions of the login pages of the bank they are trying to access.
Attackers distribute Novidade via malvertising, compromised website injection and instant messengers. Its landing page performs several HTTP requests to a predefined list of local IP addresses. Then the exploit kit queries the IP address to download a payload and attack it with a number of exploits. Novidade also conducts a dictionary brute-force attack to log into the attacked router and then changes the DNS server settings.
Experts suggest that Novidade exploit kit is used by several cybercriminal groups, so the number of targets will increase. To uncover such type of attacks, you can use DNS Security Check rule pack that spots changes to the DNS settings before any sensitive data is stolen.