Los ataques a los DNS especificados en router personales no son nada nuevo, pero si lo es el hecho de que este ataque se haya incorporado a un exploit kit. Esto es lo que han detectado investigadores de la compañía francesa Kafeine en variantes del exploit kit Sweet Orange.

CCFeEcoWAAAVx7X

Este kit de exploits, está especializado en ataques Cross-site request forgery, en ellos el atacante intenta hacer que la víctima ejecute sin saberlo acciones en una web que utilizando las credenciales de este visitante permitan al atacante obtener algún beneficio, como la autorización de transferencias de dinero,etc.. y es a través de esta habilidad de manipular los DNS de los routers personales como los atacantes pueden dirigir el tráfico de las víctimas allá donde prefieran.

El hecho de que muy pocas veces se actualicen los routers favorece enormemente a la expansión de este tipo de exploits ya que las vulnerabilidades tienen una enorme persistencia en el tiempo. Por eso tanto a través de exploit kits como de ataques en remoto los DNS de los routers SOHO principalmente son un objetivo apetecible para los atacantes.

Según los datos de Kafeine, el pasado día 9 de Mayo se llegó a 1.000.000 de peticiones a través de estos DNS maliciosos por lo que nos podemos hacer una idea de la magnitud de la campaña y de cuantos miles de víctimas existen. Otro aspecto destacable es que la mayor parte de este tráfico se ha detectado en usuarios de Chrome y Chromium, posiblemente por la opción de revelar IPs locales y públicas a través de herramientas como WebRTC-ips lo cual facilita la faena a los atacantes.

Los buenos resultados para los atacantes se deducen también de los esfuerzos que están empleando para ofuscar el código del exploit, desde el código en plano de la primera versión detectada hasta las últimas versiones cada vez más sofisticadas. Cuando fue la última vez que actualizasteis vuestro router? Fuente Kaspersky

Attacks targeting small office and home router DNS settings, long a target for network intruders seeking to redirect web traffic to malicious sites, have for the first time been included in an exploit kit—one that specializes in cross-site request forgery attacks.

An offshoot of the Sweet Orange exploit kit has been spotted by French researcher Kafeine, who on Friday published research about the attacks. At its peak on May 9—after a month-long series of modifications from the attackers that included better JavaScript obfuscation—traffic from the campaign peaked at almost a million hits, Kafeine said.

The attackers are driving a lot of traffic from Chrome users in particular, Kafeine said. Such pharming attacks are particularly dangerous—and have targeted home routers before—putting online banking and other sensitive transactions and communication at risk. The researcher said he hasn’t been able to determine the extent of any damage, but given the state of router vulnerability management, it could be a gold mine.

“There are fresh exploits inside, and if a user already has trouble updating their software, we can guess router update is not something people are doing,” Kafeine said. “This kind of attack is really old, but yes [this is the] first time I’ve seen something with obfuscation, rotating domains and landing going after DNS​.”

Researchers at Kaspersky Lab published a report in September on similar web-based attacks against routers taking place in Brazil. Rather than exploit kits, the attackers relied on phishing emails and malicious websites to push code that change home router DNS settings and point them toward phishing websites for some of Brazil’s largest banks in an attempt to steal credentials.

“This is something I hadn’t seen in the attacks I was researching. But this was expected: put everything together in a exploit kit is a natural movement from bad guys, as we see an avalanche of vulnerabilities in network devices that allows CSRF,” said Kaspersky Lab researcher Fabio Assolini of Kafeine’s findings.

Assolini, who lives in Brazil, said hackers in his country are beginning to move in this direction as well in terms of using CSRF attacks, but he has yet to see exploit kits or heavy JavaScript obfuscation.

“I think the worst scenario is related to attacks that use (remote code execution), exploiting these vulnerabilities to change DNS remotely, as there are a lot of devices that are outdated,” Assolini said, adding that a separate attack in 2011 in Brazil compromised more than four million devices.

SOHO routers are infected in this campaign via drive-by download attacks and malvertising on popular websites. The attackers’ concentration on Chrome and Chromium users could be because of their ability to discover local and public IP addresses using tools such as one developed by Daniel Roesler called WebRTC-ips. WebRTC is present in Chrome—and Firefox—and allows browsers and mobile apps to communicate in real time via APIs. Roesler’s tool takes advantage of the fact that WebRTC allows requests to STUN servers (Session Traversal Utilities for NAT) that will return IP information. These use of such requests, Kafeine said, allows an attacker to avoid having to launch noisy shotgun-style attacks.

Kafeine explained in a post on his website that he first spotted the attacks in April, expecting at the outset for the payload to be ransomware; instead he saw a cross-site request forgery and related pharming attacks. CSRF attacks force victims to submit malicious requests on the attackers’ behalf, usually on sites where the victim is already logged in. Kafeine said the original exploit was written in the clear, but inside of a month, had already added obfuscation to the mix among many improvements.

The code included a long list of routers to target from popular vendors, including D-Link, Belkin, Asus, Linksys, Netgear and others. In one example from Kafeine where he “posed” as a vulnerable router, it was hit with an exploit for a recent D-Link command injection vulnerability (CVE-2015-1187), which was made public and patched March 2.

“I guess this attack is pretty effective (the percentage of routers updated in the past two months is probably really low),” Kafeine wrote. In the attack, the DNS address was changed to 185[.]82[.]216[.]86; it has since been changed to 217[.]12[.]202[.93], and always uses Google’s DNS as a failover should the first IP fail, Kafeine said. A deeper look at the attack code, he said, revealed exploits for a CVE published in 2008 and another from 2013.

“We can bet there are a lot more buried in the POST commands dedicated to some of the models,” he wrote.

The risk to users is substantial he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.

“That depend on what the bad guys’ plans are,” Kafeine said. “They can stealthily alter traffic of all computers in the perimeter, show ad-banners, do some phishing etc…”

- See more at: https://threatpost.com/exploit-kit-using-csrf-to-redirect-soho-router-dns-settings/112993#sthash.ys2Cwvbg.dpuf

Attacks targeting small office and home router DNS settings, long a target for network intruders seeking to redirect web traffic to malicious sites, have for the first time been included in an exploit kit—one that specializes in cross-site request forgery attacks.

An offshoot of the Sweet Orange exploit kit has been spotted by French researcher Kafeine, who on Friday published research about the attacks. At its peak on May 9—after a month-long series of modifications from the attackers that included better JavaScript obfuscation—traffic from the campaign peaked at almost a million hits, Kafeine said.

The attackers are driving a lot of traffic from Chrome users in particular, Kafeine said. Such pharming attacks are particularly dangerous—and have targeted home routers before—putting online banking and other sensitive transactions and communication at risk. The researcher said he hasn’t been able to determine the extent of any damage, but given the state of router vulnerability management, it could be a gold mine.

“There are fresh exploits inside, and if a user already has trouble updating their software, we can guess router update is not something people are doing,” Kafeine said. “This kind of attack is really old, but yes [this is the] first time I’ve seen something with obfuscation, rotating domains and landing going after DNS​.”

Researchers at Kaspersky Lab published a report in September on similar web-based attacks against routers taking place in Brazil. Rather than exploit kits, the attackers relied on phishing emails and malicious websites to push code that change home router DNS settings and point them toward phishing websites for some of Brazil’s largest banks in an attempt to steal credentials.

“This is something I hadn’t seen in the attacks I was researching. But this was expected: put everything together in a exploit kit is a natural movement from bad guys, as we see an avalanche of vulnerabilities in network devices that allows CSRF,” said Kaspersky Lab researcher Fabio Assolini of Kafeine’s findings.

Assolini, who lives in Brazil, said hackers in his country are beginning to move in this direction as well in terms of using CSRF attacks, but he has yet to see exploit kits or heavy JavaScript obfuscation.

“I think the worst scenario is related to attacks that use (remote code execution), exploiting these vulnerabilities to change DNS remotely, as there are a lot of devices that are outdated,” Assolini said, adding that a separate attack in 2011 in Brazil compromised more than four million devices.

SOHO routers are infected in this campaign via drive-by download attacks and malvertising on popular websites. The attackers’ concentration on Chrome and Chromium users could be because of their ability to discover local and public IP addresses using tools such as one developed by Daniel Roesler called WebRTC-ips. WebRTC is present in Chrome—and Firefox—and allows browsers and mobile apps to communicate in real time via APIs. Roesler’s tool takes advantage of the fact that WebRTC allows requests to STUN servers (Session Traversal Utilities for NAT) that will return IP information. These use of such requests, Kafeine said, allows an attacker to avoid having to launch noisy shotgun-style attacks.

Kafeine explained in a post on his website that he first spotted the attacks in April, expecting at the outset for the payload to be ransomware; instead he saw a cross-site request forgery and related pharming attacks. CSRF attacks force victims to submit malicious requests on the attackers’ behalf, usually on sites where the victim is already logged in. Kafeine said the original exploit was written in the clear, but inside of a month, had already added obfuscation to the mix among many improvements.

The code included a long list of routers to target from popular vendors, including D-Link, Belkin, Asus, Linksys, Netgear and others. In one example from Kafeine where he “posed” as a vulnerable router, it was hit with an exploit for a recent D-Link command injection vulnerability (CVE-2015-1187), which was made public and patched March 2.

“I guess this attack is pretty effective (the percentage of routers updated in the past two months is probably really low),” Kafeine wrote. In the attack, the DNS address was changed to 185[.]82[.]216[.]86; it has since been changed to 217[.]12[.]202[.93], and always uses Google’s DNS as a failover should the first IP fail, Kafeine said. A deeper look at the attack code, he said, revealed exploits for a CVE published in 2008 and another from 2013.

“We can bet there are a lot more buried in the POST commands dedicated to some of the models,” he wrote.

The risk to users is substantial he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.

“That depend on what the bad guys’ plans are,” Kafeine said. “They can stealthily alter traffic of all computers in the perimeter, show ad-banners, do some phishing etc…”

- See more at: https://threatpost.com/exploit-kit-using-csrf-to-redirect-soho-router-dns-settings/112993#sthash.ys2Cwvbg.dpuf

Attacks targeting small office and home router DNS settings, long a target for network intruders seeking to redirect web traffic to malicious sites, have for the first time been included in an exploit kit—one that specializes in cross-site request forgery attacks.

An offshoot of the Sweet Orange exploit kit has been spotted by French researcher Kafeine, who on Friday published research about the attacks. At its peak on May 9—after a month-long series of modifications from the attackers that included better JavaScript obfuscation—traffic from the campaign peaked at almost a million hits, Kafeine said.

The attackers are driving a lot of traffic from Chrome users in particular, Kafeine said. Such pharming attacks are particularly dangerous—and have targeted home routers before—putting online banking and other sensitive transactions and communication at risk. The researcher said he hasn’t been able to determine the extent of any damage, but given the state of router vulnerability management, it could be a gold mine.

“There are fresh exploits inside, and if a user already has trouble updating their software, we can guess router update is not something people are doing,” Kafeine said. “This kind of attack is really old, but yes [this is the] first time I’ve seen something with obfuscation, rotating domains and landing going after DNS​.”

Researchers at Kaspersky Lab published a report in September on similar web-based attacks against routers taking place in Brazil. Rather than exploit kits, the attackers relied on phishing emails and malicious websites to push code that change home router DNS settings and point them toward phishing websites for some of Brazil’s largest banks in an attempt to steal credentials.

“This is something I hadn’t seen in the attacks I was researching. But this was expected: put everything together in a exploit kit is a natural movement from bad guys, as we see an avalanche of vulnerabilities in network devices that allows CSRF,” said Kaspersky Lab researcher Fabio Assolini of Kafeine’s findings.

Assolini, who lives in Brazil, said hackers in his country are beginning to move in this direction as well in terms of using CSRF attacks, but he has yet to see exploit kits or heavy JavaScript obfuscation.

“I think the worst scenario is related to attacks that use (remote code execution), exploiting these vulnerabilities to change DNS remotely, as there are a lot of devices that are outdated,” Assolini said, adding that a separate attack in 2011 in Brazil compromised more than four million devices.

SOHO routers are infected in this campaign via drive-by download attacks and malvertising on popular websites. The attackers’ concentration on Chrome and Chromium users could be because of their ability to discover local and public IP addresses using tools such as one developed by Daniel Roesler called WebRTC-ips. WebRTC is present in Chrome—and Firefox—and allows browsers and mobile apps to communicate in real time via APIs. Roesler’s tool takes advantage of the fact that WebRTC allows requests to STUN servers (Session Traversal Utilities for NAT) that will return IP information. These use of such requests, Kafeine said, allows an attacker to avoid having to launch noisy shotgun-style attacks.

Kafeine explained in a post on his website that he first spotted the attacks in April, expecting at the outset for the payload to be ransomware; instead he saw a cross-site request forgery and related pharming attacks. CSRF attacks force victims to submit malicious requests on the attackers’ behalf, usually on sites where the victim is already logged in. Kafeine said the original exploit was written in the clear, but inside of a month, had already added obfuscation to the mix among many improvements.

The code included a long list of routers to target from popular vendors, including D-Link, Belkin, Asus, Linksys, Netgear and others. In one example from Kafeine where he “posed” as a vulnerable router, it was hit with an exploit for a recent D-Link command injection vulnerability (CVE-2015-1187), which was made public and patched March 2.

“I guess this attack is pretty effective (the percentage of routers updated in the past two months is probably really low),” Kafeine wrote. In the attack, the DNS address was changed to 185[.]82[.]216[.]86; it has since been changed to 217[.]12[.]202[.93], and always uses Google’s DNS as a failover should the first IP fail, Kafeine said. A deeper look at the attack code, he said, revealed exploits for a CVE published in 2008 and another from 2013.

“We can bet there are a lot more buried in the POST commands dedicated to some of the models,” he wrote.

The risk to users is substantial he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.

“That depend on what the bad guys’ plans are,” Kafeine said. “They can stealthily alter traffic of all computers in the perimeter, show ad-banners, do some phishing etc…”

- See more at: https://threatpost.com/exploit-kit-using-csrf-to-redirect-soho-router-dns-settings/112993#sthash.ys2Cwvbg.dpuf