Exploit Kit Using CSRF to Redirect SOHO Router DNS Settings

French researcher Kafeine has found an exploit kit delivering cross-site request forgery attacks that focus on SOHO routers and changing DNS settings to redirect to malicious sites.

Attacks targeting small office and home router DNS settings, long a target for network intruders seeking to redirect web traffic to malicious sites, have for the first time been included in an exploit kit—one that specializes in cross-site request forgery attacks.

An exploit kit has been spotted by French researcher Kafeine, who on Friday published research about the attacks. At its peak on May 9—after a month-long series of modifications from the attackers that included better JavaScript obfuscation—traffic from the campaign peaked at almost a million hits, Kafeine said.

The attackers are driving a lot of traffic from Chrome users in particular, Kafeine said. Such pharming attacks are particularly dangerous—and have targeted home routers before—putting online banking and other sensitive transactions and communication at risk. The researcher said he hasn’t been able to determine the extent of any damage, but given the state of router vulnerability management, it could be a gold mine.

“There are fresh exploits inside, and if a user already has trouble updating their software, we can guess router update is not something people are doing,” Kafeine said. “This kind of attack is really old, but yes [this is the] first time I’ve seen something with obfuscation, rotating domains and landing going after DNS​.”

Researchers at Kaspersky Lab published a report in September on similar web-based attacks against routers taking place in Brazil. Rather than exploit kits, the attackers relied on phishing emails and malicious websites to push code that change home router DNS settings and point them toward phishing websites for some of Brazil’s largest banks in an attempt to steal credentials.

“This is something I hadn’t seen in the attacks I was researching. But this was expected: put everything together in a exploit kit is a natural movement from bad guys, as we see an avalanche of vulnerabilities in network devices that allows CSRF,” said Kaspersky Lab researcher Fabio Assolini of Kafeine’s findings.

Assolini, who lives in Brazil, said hackers in his country are beginning to move in this direction as well in terms of using CSRF attacks, but he has yet to see exploit kits or heavy JavaScript obfuscation.

“I think the worst scenario is related to attacks that use (remote code execution), exploiting these vulnerabilities to change DNS remotely, as there are a lot of devices that are outdated,” Assolini said, adding that a separate attack in 2011 in Brazil compromised more than four million devices.

SOHO routers are infected in this campaign via drive-by download attacks and malvertising on popular websites. The attackers’ concentration on Chrome and Chromium users could be because of their ability to discover local and public IP addresses using tools such as one developed by Daniel Roesler called WebRTC-ips. WebRTC is present in Chrome—and Firefox—and allows browsers and mobile apps to communicate in real time via APIs. Roesler’s tool takes advantage of the fact that WebRTC allows requests to STUN servers (Session Traversal Utilities for NAT) that will return IP information. These use of such requests, Kafeine said, allows an attacker to avoid having to launch noisy shotgun-style attacks.

Kafeine explained in a post on his website that he first spotted the attacks in April, expecting at the outset for the payload to be ransomware; instead he saw a cross-site request forgery and related pharming attacks. CSRF attacks force victims to submit malicious requests on the attackers’ behalf, usually on sites where the victim is already logged in. Kafeine said the original exploit was written in the clear, but inside of a month, had already added obfuscation to the mix among many improvements.

The code included a long list of routers to target from popular vendors, including D-Link, Belkin, Asus, Linksys, Netgear and others. In one example from Kafeine where he “posed” as a vulnerable router, it was hit with an exploit for a recent D-Link command injection vulnerability (CVE-2015-1187), which was made public and patched March 2.

“I guess this attack is pretty effective (the percentage of routers updated in the past two months is probably really low),” Kafeine wrote. In the attack, the DNS address was changed to 185[.]82[.]216[.]86; it has since been changed to 217[.]12[.]202[.93], and always uses Google’s DNS as a failover should the first IP fail, Kafeine said. A deeper look at the attack code, he said, revealed exploits for a CVE published in 2008 and another from 2013.

“We can bet there are a lot more buried in the POST commands dedicated to some of the models,” he wrote.

The risk to users is substantial he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.

“That depend on what the bad guys’ plans are,” Kafeine said. “They can stealthily alter traffic of all computers in the perimeter, show ad-banners, do some phishing etc…”

This article was updated to remove references to the Sweet Orange exploit kit.

Suggested articles


  • John on

    Routers could be locked down more and should if you do not need certain open ports. But the problem is many routers are defaulted to more flexible settings to ease setup complications. I doubt many people care to try and change settings in router firmware for fear of breaking something. How many even update the firmware is another question. I still see plenty of new routers that do not upgrade firmware automatically. Its no wonder this has become a gold mine for hackers.
  • Eric on

    Vendors should come up with a system to let routers pull down new firmware updates automatically from the vendor site. Because no normal non-tech person is going to update their router firmware or know how to. This needs to be automated for the masses.
    • Jeff on

      An easier method should be made but not automatic updates. My old router had that option and guess what - a broken update made its way through their testing. I had to take the router out and connect a laptop directly to the Internet to download an old version, hack the device to allow it to accept the old version, then restore everything. None of "the masses" are going to be able to do that part.
    • Robert.Walter on

      Apple AirPort routers have had easy to update firmware for years. They also appear to not be affected by these exploits.
  • Tommy on

    YES! If I were a "black hat" I would LOVE routers that update themselves. All I would have to do is poison their DNS so it points to a server under my control, and then I can upload whatever software I want!
  • Eric on

    or you could just allow the user to verify the checksum of the downloaded firmware file to the files they keep on their end before they actually commit the installation of the newly downloaded firmware. Didn't say it was perfect. I never heard of perfect security. Technically you could poison anyones DNS for any purpose not just firmware downloads. You could exploit this when they go to their vendors website to download the firmware. I guess the better method would be education. Why can't I receive an alert that my router is out of date and provide easy instructions for average users to follow.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.