Consumer routers and modems targeted in DNS hijacking attack campaign

• Analysis revealed that four malicious DNS servers were used to redirect web traffic for nefarious purposes.
• Perpetrators used Google Cloud Platform for all the exploit attempts, which was observed to be happening since the past three months.

Popular consumer routers have been reported with numerous active DNS hijacking exploits. According to Troy Mursch of Bad Packets LLC who analyzed the DNS hijacking campaign, it started with exploits made on certain D-Link modems, at the end of December last year. It was also observed that the attackers relied on Google Cloud Platform (GCP) hosts for all the latest exploits.

The three waves of the campaign

• Mursch’s blog detailed the campaign’s activity over the span of three months since its inception. The first wave of attacks targeted certain D-Link DSL modems (2640B, 2740R, 2780B, and 526B) with a rogue DNS server.
• The second wave of attacks was observed in February with exploits made on the same D-Link modems. Only the DNS server was different this time.
• The third wave of attacks originated from three Google Cloud Platform hosts and targeted various consumer routers other than D-Link. The routers involved were ARG-W4 ADSL routers, DSLink 260E, Secutech, and TOTOLINK routers.
• A total of four rogue DNS servers were used in the campaign. The first two were hosted by OVH Canada with the remaining ones from Russian IT firm Inoventica.

Abusing GCP

Mursch emphasized that the cloud service provider’s vastness made it attractive for baddies to easily conduct DNS hijacking.

“Anyone with a Google account can access a 'Google Cloud Shell' machine by simply visiting this URL (refers to the Cloud Shell’s link). This service provides users with the equivalent of a Linux VPS with root privileges directly in a web browser. Due to the ephemeral nature of these virtual machines coupled with Google’s slow response time to abuse reports, it’s difficult to prevent this kind of malicious behavior,” the security researcher wrote.

Overall, it was found that around 17,000 routers were vulnerable to the DNS hijacking campaign. Users are advised to always keep their routers’ firmware to stay away from such dangerous attacks.