Friday, January 24, 2025
HomeCyber AttackHackers Hijacked More Than 100,000 Routers DNS Settings and Redirecting Users to...

Hackers Hijacked More Than 100,000 Routers DNS Settings and Redirecting Users to Malicious WebSites

Published on

SIEM as a Service

Follow Us on Google News

Hackers hijacked 100,000+ Routers and modified their DNS settings to redirect their DNS requests through malicious DNS servers to steal banking credentials.

The DNSChanger campaign named GhostDNS appears to be starting from September 20, 2018, and it grows significantly by adding a bunch of new scanners. The campaign attempts a brute force on the router’s web page or bypass authentication using dnscfg.cgi exploit.

The malicious campaign primarily focuses on Brazil, according to Netlab’s report more than 100k+ routers infected (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in Brazil and even Netflix.

GhostDNS Hijacked 100,000+ Routers

The GhostDNS is made up of four different parts DNSChanger Module, Phishing Web module, Web Admin module, Rogue DNS module.

GhostDNS

DNSChanger Module

The module is responsible for information collection and carries out attack by using three DNSChanger sub-modules against the routers on both internet and intranet networks. This DNS changer module consists of 100+ attack scripts that affecting 70+ different routers.

GhostDNS

While examing one of the sub-module PyPhp DNSChanger which contains 69 attack scripts against 47 different routers/firmware, Netlab discovered some statistics information which shows this particular module itself infected more than 62,00 routers.

GhostDNS

Web Admin

Researchers found the admin panel in one of the PyPhp DNSChanger node contains the login page of the Web Admin System.

Rogue DNS module

The Rouge DNS server contains a number of hijacked domains, primarily banking domains, cloud hosting services, and domain belongs to security company Avira.

Phishing Web module

The rogue DNS server hijacks targeted domain’s and resolves them to phishing server and the phishing server servers corresponding phishing site.

With this ghosts campaign between 09-21 to 09-27, the hackers primarily targeted users located in Brazil.

GhostDNS

Netlab says GhostDNS system poses a real threat to the Internet. It is highly scaled, utilizes diverse attack vector, adopts automated attack process.

Related read

Hackers Hijacked 7,500+ MikroTik Routers and Redirecting User Traffic to Attackers

Hackers Hijacking DLink Routers to Gain Bank Credentials By Using Various Router Exploits

Hackers Attack Over 200,000 MikroTik Routers & Infected with Mass Coinhive Cryptojacking Malware

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Android Kisok Tablets Vulnerability Let Attackers Control AC & Lights

A startling security flaw found in Android-based kiosk tablets at luxury hotels has exposed...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kisok Tablets Vulnerability Let Attackers Control AC & Lights

A startling security flaw found in Android-based kiosk tablets at luxury hotels has exposed...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...