Cyber criminals are turning to new methods to achieve their desired goals, without gaining access to victims’ machines directly. Hackers are altering the DNS conCiguration on SOHO gateways in order to redirect victims DNS requests and subsequently replace the intended answers with IP addresses and domains controlled by the attackers, effectively conducting a Man-in-the-Middle attack.
SOHO routers are vulnerable to multiple exploit techniques, including a recently disclosed authentication bypass vulnerability in ZyXEL firmware and Cross-Site request Forgery (CSRF) techniques similar to those reported in late 2013. The figure below shows the CSRF SOHO Router Attack exploited by cyber criminals.
Image Source: Team Cymru
Team Cymru’s Enterprise Intelligence Services have identified over 300,000 SOHO gateways, predominantly in Europe and Asia which are believed to be compromised. Affected devices had their DNS settings changed to use the IP addresses 22.214.171.124 and 126.96.36.199. Top countries affected by this pharming campaign are Vietnam, India, Thailand and Italy.
Source: Team Cymru Report
Organizations concerned that their customers and external partners could be victims of this type of attack should urge them to review their local router DNS settings and security policies and contact their upstream service provider for assistance if necessary. SOHO devices should have remote user-mode administration features and GUI's disabled or, at a minimum, restricted through ACLs to only those IPs required for regular administration. Management interfaces open to the Internet create an easily detectable and exploitable vulnerability and should be disabled immediately if found. If you need further assistance and immediate security solution please visit our website and contact us asap.