A recently discovered hack of home and small office routers redirects users to malicious websites claiming to be COVID-19 information resources to install malware that steals cryptocurrency passwords and credentials, researchers said on Wednesday.
A post released by security company Bitdefender says the compromises hit Linksys routers, although BleepingComputer, who reported the attack two days ago, said the campaign also targets D-Link devices.
It remains unclear how attackers compromise the router. The researchers cite data from Bitdefender security products and suspect that the hackers will guess the passwords used to secure the router's remote management console when this feature is enabled. Bitdefender also hypothesized that compromises could be made by guessing credentials for the Linksys cloud user accounts.
Not the AWS site you're looking for
The router compromises allow attackers to determine the DNS servers used by connected devices. DNS servers use the Internet domain name system to translate domain names into IP addresses so that computers can find the location of sites or servers that users want to access. By sending devices to DNS servers that enable fraudulent searches, attackers can redirect people to malicious websites that host malware or attempt to fake passwords.
The malicious DNS servers send targets to the domain they requested. However, behind the scenes, the websites are faked, which means that they are provided by malicious IP addresses and not by the legitimate IP address used by the domain owner. Liviu Arsene, the Bitdefender researcher who wrote Wednesday's post, told me that fake websites close port 443, the Internet gate that carries traffic that is protected by HTTPS authentication protection. Closing causes websites to connect via HTTP, preventing the display of warnings from browsers or email clients that a TLS certificate is invalid or untrustworthy.
Domains included in the campaign include:
- aws.amazon.com
- goo.gl
- bit.ly
- washington.edu
- imageshack.us
- ufl.edu
- disney.com
- cox.net
- xhamster.com
- pubads.g.doubleclick.net
- tidd.ly
- redditblog.com
- fiddler2.com
- winimage.com
The IP addresses for the malicious DNS searches are 109.234.35.230 and 94.103.82.249.
Malicious website users claim to offer an app that contains "the latest corona virus information and instructions (COVID-19)".
Bifdefender
Ultimately, users who click the download button will be redirected to one of several Bitbucket sites that offer a file for installing malware. Known as Oski, the relatively new malware extracts browser credentials, cryptocurrency wallet addresses, and possibly other types of sensitive information.
USA, Germany and France most targeted
There were 1,193 downloads from one of the four Bitbucket accounts used. For attackers who use at least three other Bitbucket accounts, the download number is likely to be much higher. (The actual number of people infected is likely to be less than the total number of downloads as some people may not have clicked the installer or accessed the page for research purposes.)
Bitdefender data show that the attack started on or around March 18 and peaked on March 23. Bitdefender data also show that the most commonly targeted routers were in Germany, France, and the United States. Currently, these countries are among the countries most affected by the devastating effects of COVID-19, which had caused more than 436,856 infections and 19,549 deaths worldwide as of the date of this publication.
To prevent attacks on routers, remote management should be deactivated on the devices if possible. If this function is absolutely necessary, it should only be used by experienced users and protected with a secure password. Cloud accounts that can also be used to manage routers remotely should follow the same guidelines. In addition, users should often ensure that the router firmware is up to date.
People who want to verify that they have been targeted can look for compromise indicators in the Bitdefender post. Note: The indicators can be difficult to follow for less experienced users.
