Router Exploit Kits Continue Target Brazilian Users

Delaware, USA – July 15, 2019 – Attacks on routers in Brazil started about a year ago, sometimes going beyond the borders of the country. Initially, the compromised devices were used to mine Monero cryptocurrency by injecting Coinhive script into a specially created error page. Then the attackers began to change router DNS settings and redirect users to attackers’ DNS servers, which sent users to fraudulent banking pages. Despite the fact that there was no information about large-scale campaigns, the attacks did not stop. According to Avast, since February of this year, about 180,000 infections have been recorded, although the real figure may be much higher.

Initially, the main tool for such campaigns was the GhostDNS exploit kit that determines the user’s IP and router used, and then runs the script exploiting router vulnerability to change the DNS settings. Since this process takes time, the user’s attention is distracted, for example, by installing a fake browser update. From mid-April, the attackers started using the SonarDNS exploit kit, which was created using the Sonar JS framework and is a more stealthily version of the GhostDNS. In recent campaigns, adversaries are more interested in user credentials than banking card data, and credentials for Netflix are now leading. Also, compromised routers used to show malicious ads and run Monero mining scripts in a browser. Frequent DNS-hijacking attacks pose a serious danger to organizations, as most of them go unnoticed by victims, and recent Sea Turtle group campaigns confirm this. National Cyber Security Center UK published an advisory highlighting DNS-hijacking and providing mitigation advice. Among other things they recommend monitor SSL certificates and implement DNSSEC specifications.
Content in Threat Detection Marketplace that can help organizations to secure against DNS-hijacking:
DNS Security Check rule pack:
SSL Framework rule pack: