Thứ Ba, 25 tháng 3, 2014

300.000 router bị Hack để thay đổi DNS

http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/

Hackers hijack 300,000-plus wireless routers, make malicious changes

Devices made by D-Link, Micronet, Tenda, and TP-Link hijacked in ongoing attack.

Enlarge / Three phases of an attack that changes a router's DNS settings by exploiting a cross-site request vulnerability in the device's Web interface.
Team Cymru

Researchers said they have uncovered yet another mass compromise of home and small-office wireless routers, this one being used to make malicious configuration changes to more than 300,000 devices made by D-Link, Micronet, Tenda, TP-Link, and others.

The hackers appear to be using a variety of techniques to commandeer the devices and make changes to the domain name system (DNS) servers used to translate human-friendly domain names into the IP addresses computers use to locate their Web servers, according to a report published Monday by researchers from security firm Team Cymru. Likely hacks include a recently disclosed cross-site request forgery (CSRF) that allows attackers to inject a blank password into the Web interface of TP-Link routers. Other attack techniques may include one that allows wireless WPA/WPA2 passwords and other settings to be remotely changed.

So far, the attacks have hijacked more than 300,000 servers in a wide range of countries, including Vietnam, India, Italy, Thailand, and Colombia. Each compromise has the potential to redirect virtually all connected end users to malicious websites that attempt to steal banking passwords or push booby-trapped software, the Team Cymru researchers warned. The campaign comes weeks after researchers from several unrelated organizations uncovered separate ongoing mass hacks of other routers, including a worm that hit thousands of Linksys routers and the exploit of a critical flaw in Asus routers that exposes the contents of hard drives connected by USB.

Yet another recently discovered campaign targeting online bank customers in Poland worked in part by modifying home routers' DNS settings. In turn, the phony domain name resolvers listed in the router settings redirected victims' computers, tablets, and smartphones to fraudulent websites masquerading as an authentic bank service. The malicious sites would then steal the victims' login credentials. The router "pharming" attack reported by Team Cymru appears to be part of a distinct campaign given its much larger size, geographic diversity, and the fact that so far there are no indications that DNS lookups for banking sites are affected.

"The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability," Monday's report stated. "The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group."

Have I been hacked?

The telltale sign a router has been compromised is DNS settings that have been changed to 5.45.75.11 and 5.45.76.36. Team Cymru researchers contacted the provider that hosts those two IP addresses but have yet to receive a response. The researchers also privately contacted representatives of all manufactures of routers being successfully hacked in this latest campaign.

Monday's report is the latest to underscore the growing real-world attacks that target weaknesses in routers, modems, and other devices running embedded software. Once the domain of computers running Microsoft operating systems, these hacks in some cases exploit software bugs in the underlying code. In other cases, they seize on the use of default passwords or other errors made by the people using the targeted devices.

"As embedded systems begin to proliferate in both corporate and consumer networks, greater attention needs to be given to what vulnerabilities these devices introduce," the Team Cymru researchers wrote. "Security for these devices is typically a secondary concern to cost and usability and has traditionally been overlooked by both manufacturers and consumers."

Given the increasing success in compromising home and small-office routers, users should regularly review their devices to make sure they're not vulnerable to the most common types of exploits. The most important thing readers should do is to make sure the device is running the latest-available version of the firmware. Readers should also disable remote administration capabilities if they're not needed. If they are needed, users should limit the remote IP addresses that can access the router. It's also a good idea to regularly check DNS settings to ensure they haven't been altered. When possible, it can be helpful to disable a router's Web interface in favor of a command line since the interfaces are often susceptible to cross-site request forgeries and other types of attacks that target Web-programming weaknesses.

Cross-site request forgeries techniques are one of the most widely used for hijacking routers. In the past five months, several exploits have been published showing how to use them to compromise routers made by Zyxel and TP-Link. Interestingly, such attacks often must be launched from another device already connected to the targeted router. It's not immediately clear how that happens. One possibility is that an attacker website bounces malicious code off a connected device, which then relays it to the router.



http://www.tuvantinhoc1088.com/bao-mat/11-bo-mt/13475-300-000-router-b-hack-d-thay-d-i-dns.html

300.000 router bị Hack để thay đổi DNS

on .

Một cuộc tấn công độc hại nhắm tới những Router đã bị các nhà nghiên cứu phát hiện đã ảnh hưởng tới hơn 300.000 router dùng trong gia đình và những văn phòng nhỏ do D-Link, TP-Link, Micronet và Tenda sản xuất .

Tin tặc đã xâm nhập thành công những router này và thay đổi những thiết lập máy chủ DNS , có thể dẫn tới những hậu quả nghiêm trọng .

Team Cymru , đã công bố chi tiết cuộc tấn công hom thứ Hai , cho biết những kỹ thuật khác nhau đã được dùng để xâm nhập và thay đổi những thiết lập của router . Đặc biệt những kẻ tấn công đã dùng tấn công CSRF (cross-site request forgery) để tự động thay đổi những thiết lập DNS nếu như mật khẩu giao diện web để trống . Một lỗi an ninh khác cũng được những kẻ tấn công sử dụng để cấu hình những file thông quan những URL không được chứng thực .

Những cuộc tấn công trên chỉ thực hiện được do những lỗ hổng an ninh trong Firmware của router . Team Cymru cho biết hầu hết những người dùng tại Việt Nam , Ấn Độ và Ý bị ảnh hưởng .

Những router bị tấn công trên có địa chỉ máy chủ DNS thay đổi thành 5.45.75.115.45.75.36 , để mở cửa cho những hoạt động độc hại . Ví dụ tin tặc có thể định hướng những lưu lượng từ địa chỉ ngân hàng trực tuyến tới những trang web chứa sẵn các hoạt động độc hại để đánh cắp thông tin cá nhân hoặc để tải về những phần mềm độc hại .

Không có nhận xét nào:

Đăng nhận xét

(Chơi cho vui) AIRDROP CHAINGE FINANCE - dự án xây dựng ứng dụng ngân hàng số cho mọi người

 Không hiểu lắm về cái này, tuy nhiên thấy quảng cáo khá nhiều, lại chỉ cung cấp vài thông tin cá nhân (mà mấy ông lớn như facebook với goog...