There have been a number of unusual hacking techniques employed in Brazil recently. A group of hackers have used a “novel approach” to pull off a pharming attack by using phishing emails, as stated by security firm Proofpoint.
A pharming attack usually requires access to an ISP’s or organisation’s DNS servers, which are typically well-protected. However, home routers are not. Still, there is a matter of getting the right IP address of a user or group of users. This problem appears to have been solved with the help of 100 phishing emails targeting mostly Brazilian users, allegedly stated to come from Brazil’s largest telecommunications company.
“This case is striking for several reasons, not the least of which is the introduction of phishing as the attack vector to carry out a compromise traditionally considered purely network-based,” the company wrote, adding that it showed “the continued pre-eminence of email as the go-to attack vector for cybercriminals.”
The content of the emails has been said to have a malicious link which would redirect a user to a server that attacked their router, having it set up to exploit cross-site request forgery vulnerabilities in routers. A successful attack would have granted the hacker access to the router’s administration panel, where he could enter the default login credentials and change the router’s DNS. Victims could then be redirected to fraudulent websites, while hackers could even perform a man-in-the-middle attack, such as intercepting email, logins and passwords for websites, and hijacking search results, among other things.
Though some users change their login credentials once they set up their router, most users who are not well acquainted with technology might not, making them more vulnerable to attacks such as the above.
Several TP-Link routers have been found to be vulnerable to webpage based DNS hijacking attacks. Worryingly the researcher who uncovered information about this vulnerability, Jacob Lell, has also found “an active exploitation campaign,” aimed at the affected TP-Link routers. Meanwhile TP-Link has released updated firmware for some but not all of its affected networking hardware.
There have been many router exploits before, however this newly reported TP-Link exploit looks more immediately serious as Mr Lell has found “five different instances of the exploit on unrelated websites so far”. An automated client honeypot system set up by Lell generated “some 280 GB of web traffic”. The five unrelated instances of the exploit he found tried to change the primary nameserver to three different IP addresses.
The affected TP-Link routers have something called a CSRF vulnerability. These routers allow access to their web-based administration page using HTTP authentication. “When entering the credentials to access the web interface, the browser typically asks the user whether he wants to permanently store the password in the browser. However, even if the user doesn’t want to permanently store the password in the browser, it will still temporarily remember the password and use it for the current session,” explains Lell.
If a user then visits a compromised site, like one of the five discovered so far, the site attempts to “change the upstream DNS server of the router to an attacker-controlled IP address, which can then be used to carry out man-in-the-middle attacks,” says Lell. After that DNS change web addresses typed in by the user can be easily redirected to phishing sites and similar places you wouldn’t ordinarilty want to visit. Also, among many other consequences, software updates can be blocked and email accounts hijacked.
The following devices are confirmed to be vulnerable:
TP-Link WR1043ND V1 up to firmware version 3.3.12 build 120405 is vulnerable (version 3.3.13 build 130325 and later is not vulnerable)
TP-Link TL-MR3020: firmware version 3.14.2 Build 120817 Rel.55520n and version 3.15.2 Build 130326 Rel.58517n are vulnerable (but not affected by current exploit in default configuration)
TL-WDR3600: firmware version 3.13.26 Build 130129 Rel.59449n and version 3.13.31 Build 130320 Rel.55761n are vulnerable (but not affected by current exploit in default configuration)
WR710N v1: 3.14.9 Build 130419 Rel.58371n is not vulnerable
Some other untested devices are also likely to be vulnerable
Thank you Hexus for providing us with this information Image courtesy of Hexus