The UK’s National Cyber Security Centre (NCSC) has issued a warning about DNS hijacking threats, as reports emerge of widespread attacks in Brazil affecting 180,000 users.
The NCSC posted the advisory on Friday as a follow-up to one issued in January. DNS hijacking attackers typically take control of an authoritative DNS server, change the entries stored there and in so doing covertly redirect users to servers under their control, in a Man in the Middle attack.
This is what happened in the DNSpionage campaign revealed earlier this year and the Sea Turtle attacks which Cisco Talos last week claimed are still ongoing.
However, DNS hijackers are also targeting consumers with a slightly different modus operandi, Avast revealed in a recent blog post.
These attacks look to modify the settings on home routers, potentially via cross-site request forgery (CSRF) web-based attacks, so that they use rogue DNS servers. Once again, the end goal is to secretly redirect the user to a phishing page or one capable of installing malware on their machine.
Avast claims to have blocked over 4.6m CSRF attacks during February and March alone in Brazil, adding that 180,000 users have had their DNS hijacked in the first half of 2019.
The initial CSRF attack often happens via malvertising when a user visits a compromised website.
“When visiting a compromised site, the victim is unknowingly redirected to a router exploit kit landing page, which is usually opened in a new window or tab, initiating the attack on the router automatically, without user interaction,” it said.
“In general, the exploit kit attempts to find the router IP on a network, and subsequently attempts to guess the password using various login credentials. Once the hacker successfully logs into the router, the exploit kit attempts to alter the router’s DNS settings using various CSRF requests.”
GhostDNS, Navidade and SonarDNS are the three exploit kits being used in these attacks. Once a rogue DNS server is installed, the attackers look to monetize their efforts via phishing to steal Netflix and banking credentials from consumers; replacing good ads with malicious ones to steal traffic for profit; and installing browser-based crypto-jacking scripts.
Avast urged consumers to stay on the latest router firmware version; use strong and unique log-ins for online banking and routers; and to check their banking sites have a valid certificate.
