Chrome Exploit Changes DNS Servers

Wednesday, May 27, 2015 @ 03:05 PM gHale

There is a new campaign out there aimed at compromising SOHO routers and changing their DNS settings so attackers can redirect users to phishing sites, hijack their search queries, and intercept traffic, a researcher found.

This campaign apparently targets Google’s Chrome browser users and ignores others. Chrome users who visit a compromised website end up redirected to a site that serves cross-site request forgery (CSRF) code that determines which router model the victims use, said security researcher that goes by the name Kafeine in a blog post.

Financial Institution Attacks Uncovered
Warding Off EU’s Sophisticated Attacks
Stealth Malware Turns Servers into Spambots
ICANN Investigating Attack

An exploit for one of several vulnerabilities — CVE-2015-1187, CVE-2008-1244, or CVE-2013-2645 – ends up served, or several sets of common administrative credentials see action in an effort to access the router’s administration interface.

Routers’ web-based administration interfaces are actually inaccessible from the Internet (with a disabled remote management), but accessible from the local network like from the user’s browser.

CSRF attacks exploit the trust that a site has in a user’s browser. In this case, the browser ends up made to execute malicious actions on the router’s web administration interface.

“We know they can do: Bank/webmoney MITM, phishing, adfraud, etc.. But to the question : ‘What are they doing?’ … I have no reply yet,” Kafeine said.

This campaign can compromise over 55 router models sold by Asus, Belkin, D-Link, Linksys, Netgear, Zyxel and several other manufacturers.

The routers’ DNS settings change to point to a DNS server controlled by attackers, with Google’s public DNS server as the secondary, fallback one.

The campaign has been going on for over a month, and millions of devices from around the world have potentially suffer from the issue. It all depends on the effectiveness of the exploits: A fix for CVE-2015-1187 released earlier this year, but it’s unlikely that many users have implemented the patch.

Leave a Reply

You must be logged in to post a comment.