Hackers hijacked 100,000+ Routers and modified their DNS settings to redirect their DNS requests through malicious DNS servers to steal banking credentials.
The DNSChanger campaign named GhostDNS appears to be starting from September 20, 2018, and it grows significantly by adding a bunch of new scanners. The campaign attempts a brute force on the router’s web page or bypass authentication using dnscfg.cgi exploit.
The malicious campaign primarily focuses on Brazil, according to Netlab’s report more than 100k+ routers infected (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in Brazil and even Netflix.
The GhostDNS is made up of four different parts DNSChanger Module, Phishing Web module, Web Admin module, Rogue DNS module.
The module is responsible for information collection and carries out attack by using three DNSChanger sub-modules against the routers on both internet and intranet networks. This DNS changer module consists of 100+ attack scripts that affecting 70+ different routers.
While examing one of the sub-module PyPhp DNSChanger which contains 69 attack scripts against 47 different routers/firmware, Netlab discovered some statistics information which shows this particular module itself infected more than 62,00 routers.
Researchers found the admin panel in one of the PyPhp DNSChanger node contains the login page of the Web Admin System.
The Rouge DNS server contains a number of hijacked domains, primarily banking domains, cloud hosting services, and domain belongs to security company Avira.
The rogue DNS server hijacks targeted domain’s and resolves them to phishing server and the phishing server servers corresponding phishing site.
With this ghosts campaign between 09-21 to 09-27, the hackers primarily targeted users located in Brazil.
Netlab says GhostDNS system poses a real threat to the Internet. It is highly scaled, utilizes diverse attack vector, adopts automated attack process.
Hackers Hijacked 7,500+ MikroTik Routers and Redirecting User Traffic to Attackers
Hackers Hijacking DLink Routers to Gain Bank Credentials By Using Various Router Exploits
Hackers Attack Over 200,000 MikroTik Routers & Infected with Mass Coinhive Cryptojacking Malware
A recent technical study conducted by researchers at Trinity College Dublin has revealed that Google…
In a concerning development, cybercriminals are increasingly targeting cloud-based generative AI (GenAI) services in a…
Microsoft has introduced a series of technical recommendations to bolster the security of Virtualization-Based Security…
A sophisticated cyber espionage campaign targeting the aviation and satellite communications sectors in the United…
Microsoft has announced the removal of the Data Encryption Standard (DES) encryption algorithm from Kerberos…
Security researchers have uncovered sophisticated obfuscation techniques employed by APT28, a Russian-linked advanced persistent threat…
