Radware Threat Research Center has identified a hijacking campaign aimed at Brazilian Bank customers through their IoT devices, attempting to gain their bank credentials.
The research center has been tracking malicious activity targeting DLink DSL modem routers in Brazil since June 8th. Through known old exploits dating from 2015, a malicious agent is attempting to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious DNS server. The malicious DNS server is hijacking requests for the hostname of Banco de Brasil (www.bb.com.br) and redirecting to a fake, cloned website hosted on the same malicious DNS server, which has no connection whatsoever to the legitimate Banco de Brasil website.
Itau Unibanco, another Brazilian financial institution, hostname (www.itau.com.br) is also being redirected, although not backed by a cloned website for now. For all other DNS requests, the malicious server works as a forwarder and resolves just as an ISP DNS server would. The malicious DNS server set up by the hackers becomes an effective man-in-the-middle that provides the malicious actor with the flexibility to bring up fake portals and web fronts to collect sensitive information from users whose routers were infected.
Unique about this approach is that the hijacking is performed without any interaction from the user. Phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser have been reported as early as 2014 and throughout 2015-2016. In early 2016 an exploit tool known as RouterHunterBr 2.0 was published on the internet and used the same malicious URLs, but there are no reports that we are aware of to date of abuse originating from this tool.
The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, he or she can type in the URL manually or even use it from mobile devices such as iPhone, iPad, Android phones or tablets. He or she will still be sent to the malicious website instead of to their requested website, so the hijacking effectively works at the gateway level.
Details of the attack
From June 12th our deception network has been recording multiple infection attempts for an old D-Link DSL router exploit.
The exploit allows unauthenticated remote configuration of DNS server settings on the modem router. The malicious URL is in the form of:
Exploits were published as early as Feb 2015 for multiple DSL routers, mostly D-Link:
- Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change: Exploit http://www.exploit-db.com/exploits/35995/
- D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit : http://www.exploit-db.com/exploits/35917/
- D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit: https://www.exploit-db.com/exploits/37237/
- D-Link DSL-2780B DLink_1.01.14 – Unauthenticated Remote DNS Change: https://www.exploit-db.com/exploits/37237/
- D-Link DSL-2730B AU_2.01 – Authentication Bypass DNS Change: https://www.exploit-db.com/exploits/37240/
- D-Link DSL-526B ADSL2+ AU_2.01 – Unauthenticated Remote DNS Change: https://www.exploit-db.com/exploits/37241/
Our deception network recorded almost 500 attempts between June 8th and August 10th. All our São Paulo based honeypots captured these attempts, without exception. The rest of our global deception network did not capture any of these attempts, meaning the malicious agent was focusing his attack on Brazilian targets only, trying to increase efficiency while staying under the radar from honeypots outside of Brazil.
Exploit attempts were performed from a handful of servers. Most of the servers were located in the U.S. but the most active and at this day the only active server is located in Brazil. Below are the 5 IPs accounting for the 500 attempts:
Originally the malicious DNS server IP used in the exploit was 184.108.40.206. The IP changed to 220.127.116.11 from August 2nd 2018.
Resolving the hostname for Banco de Brazil (www.bb.com.br) through the malicious DNS server:
Equally so for Itua Unibanco:
The fake cloned website for Banco de Brasil is located at https://18.104.22.168/pbb/web and uses a self-signed certificated with a validity starting date of August 1st 2018, matching the change of malicious DNS server IP in the exploit attempts. We emphasize that that the fake cloned website for Banco de Brasil is hosted on a malicious server that has no connection whatsoever to the legitimate Banco de Brasil website.
When trying to access the account through the fake cloned website, the user is presented with a form asking for the bank agency number, account number and an eight-digit pin.
Next, the fake site requires confirmation of identity by asking users to provide mobile phone, card pin, and a CABB number.
Impact for the end-users
The banks referenced above were not directly attacked nor breached, however their users can suffer financial and private data losses through this malicious hijacking attack. The ‘only’ indicator for the user is the invalid certificate which all modern browsers clearly indicate when using secure connections. It is not even possible to access the website without explicitly confirming the “Not Secure” exception! However, the malicious website, unlike the original website, does allow unsecure connections. If the user, for some reason, bookmarked or typed a unsecured url (http:// instead of https://), the malicious website happily stay in unsecure connection and there will be no visible warning for the user.
Another impact on the victims will occur when the malicious DNS server goes offline or is taken down. The attacker is attempting to modify both primary and secondary name servers with the same malicious server IP, meaning that when the malicious server is offline, all infected homes will fail to further resolve any hostnames and their internet will be virtually inaccessible until the users manually update their router settings or the ISP overrides the settings.
Notifications and collaborations
The targeted banks have been notified as soon as we discovered the hijacking.
Radware worked closely with the Cloud Provider hosting the malicious DNS and web sites and is happy to report that since 1pm CEST the servers were taken offline.
How can users detect they were compromised?
Checking your mobile devices’, computers’ or routers’ primary and secondary DNS server settings in the IP configuration. Start with the router and in the most likely case of using DHCP on the router for devices inside the home, all devices will expose the malicious server IP as primary and secondary DNS server.
A convenient way for checking DNS servers used by your devices and router is through websites like ‘http://www.whatsmydnsserver.com/’.
What should infected users do?
Only modems and routers that were not updated in the last two years can be exploited. An update from time to time wouldn’t hurt. It will not only protect the owner of the device but also prevent devices from being enslaved for devastating DDoS attacks or used to conceal targeted attacks.
All modern browsers clearly indicate an issue with the certificate of the fake website when using secure connections. These warnings should never be ignored and exception pop-ups should not be approved without further consideration or investigation. When facing such situation, users should be urged to contact the helpdesk of the organization they were trying to access.
We’ve witnessed consumer IoT devices being enslaved in botnets devised to perform devastating DDoS attacks, mine cryptocurrency, provide anonymizing proxy services to conceal attacks and collect confidential information. Most of the activities related to IoT malware victimizing consumers’ IoT devices are not directed at the device owners. Owners are mostly unaware or they don’t care as long as the primary function of the device is not compromised. BrickerBot was the first exception, forcing users to care by bricking their devices if they didn’t and got infected with IoT malware.
This new attack which targets the IoT device owner, attempting to obtain their sensitive data is another reason for consumers to care about the state of their devices and ensure best practices are met while buying from vendors that meet and demonstrate secure standards in the development of their devices.
While this particular attack was using a two-year-old exploit, most exploits on IoT devices witnessed in the past year have been abusing remote command executions in the context of a user with administrative rights. If is not too far-fetched to image a malicious agent crafting a similar hijacking attack using command-line scripts embedded in the RCE exploit URLs.