Brother
Professional
- Messages
- 2,590
- Reaction score
- 533
- Points
- 113
To compromise devices, attackers use known vulnerabilities in the firmware.
In the past three months, a cybercriminal group has been hacking into home routers (mostly D-Link models), changing DNS server settings, and redirecting traffic to malicious websites. To compromise devices, attackers use known vulnerabilities in the firmware.
According to Bad Packets' specialists monitoring the campaign, the list of attacked routers includes D-Link DSL-2640B, D-Link DSL-2740R, D-Link DSL-2780B, D-Link DSL-526B, ARG-W4 ADSL, DSLink 260E, Secutech and TOTOLINK devices. Experts recorded three waves of attacks - at the end of December 2018, early February 2019 and at the end of March. The campaign is still active.
During attacks, cybercriminals inject the IP addresses of malicious DNS servers and replace the IP addresses of legitimate sites with the addresses of malicious resources. At the moment, researchers have identified only four addresses - 66.70.173.48, 144.217.191.145, 195.128.126.165 and 195.128.124.131.
Experts have not yet been able to determine which legitimate sites the attackers are replacing, however, they found that most DNS requests are redirected to two IP addresses, one belongs to a Bulgarian hosting provider that has contacted malicious campaigns in the past, and the second to a monetization service. parked domains.
Experts recommend that owners of routers update the firmware of their devices, as well as check the DNS settings for changes.
Domain parking - registration of a domain name on the DNS servers of a parking service without using a domain for its intended purpose (for creating websites). Domain parking allows you to reserve (save) an unused domain name to its owner.
