Exploit Kit Using CSRF to Redirect SOHO Router DNS Settings

French researcher Kafeine has found an exploit kit delivering cross-site request forgery attacks that focus on SOHO routers and changing DNS settings to redirect to malicious sites.

Attacks targeting small office and home router DNS settings, long a target for network intruders seeking to redirect web traffic to malicious sites, have for the first time been included in an exploit kit—one that specializes in cross-site request forgery attacks.

An exploit kit has been spotted by French researcher Kafeine, who on Friday published research about the attacks. At its peak on May 9—after a month-long series of modifications from the attackers that included better JavaScript obfuscation—traffic from the campaign peaked at almost a million hits, Kafeine said.

The attackers are driving a lot of traffic from Chrome users in particular, Kafeine said. Such pharming attacks are particularly dangerous—and have targeted home routers before—putting online banking and other sensitive transactions and communication at risk. The researcher said he hasn’t been able to determine the extent of any damage, but given the state of router vulnerability management, it could be a gold mine.

“There are fresh exploits inside, and if a user already has trouble updating their software, we can guess router update is not something people are doing,” Kafeine said. “This kind of attack is really old, but yes [this is the] first time I’ve seen something with obfuscation, rotating domains and landing going after DNS​.”

Researchers at Kaspersky Lab published a report in September on similar web-based attacks against routers taking place in Brazil. Rather than exploit kits, the attackers relied on phishing emails and malicious websites to push code that change home router DNS settings and point them toward phishing websites for some of Brazil’s largest banks in an attempt to steal credentials.

“This is something I hadn’t seen in the attacks I was researching. But this was expected: put everything together in a exploit kit is a natural movement from bad guys, as we see an avalanche of vulnerabilities in network devices that allows CSRF,” said Kaspersky Lab researcher Fabio Assolini of Kafeine’s findings.

Assolini, who lives in Brazil, said hackers in his country are beginning to move in this direction as well in terms of using CSRF attacks, but he has yet to see exploit kits or heavy JavaScript obfuscation.

“I think the worst scenario is related to attacks that use (remote code execution), exploiting these vulnerabilities to change DNS remotely, as there are a lot of devices that are outdated,” Assolini said, adding that a separate attack in 2011 in Brazil compromised more than four million devices.

SOHO routers are infected in this campaign via drive-by download attacks and malvertising on popular websites. The attackers’ concentration on Chrome and Chromium users could be because of their ability to discover local and public IP addresses using tools such as one developed by Daniel Roesler called WebRTC-ips. WebRTC is present in Chrome—and Firefox—and allows browsers and mobile apps to communicate in real time via APIs. Roesler’s tool takes advantage of the fact that WebRTC allows requests to STUN servers (Session Traversal Utilities for NAT) that will return IP information. These use of such requests, Kafeine said, allows an attacker to avoid having to launch noisy shotgun-style attacks.

Kafeine explained in a post on his website that he first spotted the attacks in April, expecting at the outset for the payload to be ransomware; instead he saw a cross-site request forgery and related pharming attacks. CSRF attacks force victims to submit malicious requests on the attackers’ behalf, usually on sites where the victim is already logged in. Kafeine said the original exploit was written in the clear, but inside of a month, had already added obfuscation to the mix among many improvements.

The code included a long list of routers to target from popular vendors, including D-Link, Belkin, Asus, Linksys, Netgear and others. In one example from Kafeine where he “posed” as a vulnerable router, it was hit with an exploit for a recent D-Link command injection vulnerability (CVE-2015-1187), which was made public and patched March 2.

“I guess this attack is pretty effective (the percentage of routers updated in the past two months is probably really low),” Kafeine wrote. In the attack, the DNS address was changed to 185[.]82[.]216[.]86; it has since been changed to 217[.]12[.]202[.93], and always uses Google’s DNS as a failover should the first IP fail, Kafeine said. A deeper look at the attack code, he said, revealed exploits for a CVE published in 2008 and another from 2013.

“We can bet there are a lot more buried in the POST commands dedicated to some of the models,” he wrote.

The risk to users is substantial he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.

“That depend on what the bad guys’ plans are,” Kafeine said. “They can stealthily alter traffic of all computers in the perimeter, show ad-banners, do some phishing etc…”

This article was updated to remove references to the Sweet Orange exploit kit.

Suggested articles