—[ Attacked Hardware ]
CPE Router, which provides Internet Access over ADSL.
—[ Severity level ]
Severity level : Critical
Impact : DNS Injection MITM
Access Vector : Network exploitable
—[ Hardware Description ]
CPE Routers which are used to provide Internet access and are directly connected with the ISPs. These routers are specifically used by millions of home users and organizations world-wide, to connect with the ISP. These devices also act as a NAT Device, providing a rudimentary DMZ, a DHCP server being embedded into the OS of these routers, is shipped out by all the CPE manufacturers.
—[ Attack Description ]
We have observed an attack vector, targeting CPE Routers used for facilitating ADSL connectivity.
The Victim, when browsing or accessing internet is directed to a server, which does not belong to the requested Domain.
The Victim has enabled DHCP on the client machine, the DNS server IP address and the Machine IP address is provided by the embedded DHCP server residing on the affected hardware.
Normally, DNS server IP address is configured at the time of installation and once the initial configuration is complete, no one bothers to make any changes to this configuration, including the configuration access password.
The attacker gained access to the router, changed the DNS server to 109.74.196.50 and also changed the password of the router. Effectively taking over the control of the DNS queries by a rogue DNS server and a Rogue IP which accepts connections.
109.74.196.50 has “A records” for in.yahoo.com, indiatimes.com and rediff.com pointing to 212.113.36.83.
In the past, we have observed DNS Cache Poisoning attacks, modification of “hosts” file but, modifying the DNS server IP of a router and also deploying a Rogue DNS server is first of its kind for me. This type of attack, opens up the flood-gates for a lot of different attack vectors.
The web-server IP address in question has links to below mentioned advertising links
Link 1:
hxxp://www.googleadservices.com/pagead/aclk?sa=L&ai=BQpZjMbYOT_X7KoeGiAfcmLQSweK0kQOps6idQ8CNtwHwkwkQARgBIO3RuBo4AFCDsfy1-_____8BYOXS5oO8DqABh_vn2gOyAQ0yMTIuMTEzLjM2LjgzugEKMzAweDI1MF9hc8gBAtoBFW h0dHA6Ly8yMTIuMTEzLjM2LjgzL4ACAagDAcgDFegDNegDBegDDfUDAAAAwPUDAABAEIgGAaAGAg&num=1&cid=5GgGexj0cW8pXlxeTn4aLTAP&sig=AOD64_2XdwXuNKwt_zLnH8ll-xvW1vQTlg&client=ca-pub-3451543299263350&adurl=https://www.softlayer.com/lp/singapore-hosting&nm=2Link 2:
hxxp://www.googleadservices.com/pagead/aclk?sa=L&ai=BVmcsMLYOT8CPLeOBiAe5ldX5D_mWm68CiYLLmSSRh5GDY-D2xQIQARgBIO3RuBo4AFDL6Y3g-P____8BYOXS5oO8DqABn6uj5wOyAQ0yMTIuMTEzLjM2LjgzugEKMzAweDI1MF9hc8gBAtoBFWh0dHA6Ly8yMTIuMTEzLjM2LjgzL-ABAoACAakClWJAw222VD7AAgaoAwHIAxXoAzXoAwXoAw31AwAAAMT1AwAAQBCIBgGgBgI&num=1&cid=5GiWmEtBLveZ3g0hCcQDaPyc&sig=AOD64_08TL32M9LfVt6X-FYMbanPfO4ysg&client=ca-pub-3451543299263350&adurl=https://www.bigrock.in/discounted-dot-com-domains.html%3Fa_aid%3D4d2c643cb0d0a%26location%3DIN%26chan%3Dga_sit_tar%26ad%3Dga_sit_tar&nm=9The targeted domains are
1: in.yahoo.com
2: indiatimes.com
3: rediff.com
As of this moment, this seems to be an India Centric Operation, with very few domains but may increase over a period of time. But the scope of the method used by this attack vector is global.
—[ Available Information ]
Google Adsense ID : ca-pub-3451543299263350
IP Address 1 : 109.74.196.50 DNS Server
Cloud based Service provided by linode.com is being used to deploy the DNS server. This is a paid Service
IP Address 2 : 212.113.36.83 Web Server
This server is located in JSC Ukrtelecom Data Center (Ukraine) as per the robtex records.
—[ Mitigating the Attack ]
In my previous blog-posts I had mentioned about CPE Routers being the least protected IP Device, with the least amount of security features, yet an attack vector of this type changes the security perception of the entire community. One fact which is never taken into consideration is that Firewalls, IPS, IDS are all residing behind the router.
So, how do we protect a router?
Recently, there was a telnet bug which had surfaced, hence how secure are these embedded devices, is a question everyone should ask. I am yet to ascertain, whether this bug existed in the CPE.
Secondly, if these embedded devices are affected by the bug then changing the password, as a method to mitigate the attack, doesn’t make any sense.
To mitigate this type of attack
1: Manually assign the DNS server IP address. In my case, I used 8.8.8.8
2: DeSOPA the firefox extension. Initially this Firefox extension was used to circumvent SOPA related DNS Blocks, but we have used it for circumventing the DNS MITM attack.
3: Change the router access password and ensure that telnet port is available from the internet network.
—[ The Future ]
As of this moment, it is an Advertising Revenue Generation Site but future possible scenarios are as follows:
1: Phishing Site (Cloned Web-Site) – This would be very difficult to detect as the browser’s url will be a valid but the IP would be incorrect.
2: Drive-By Download with Cloned Site
3: Transparent Proxy with http interception capabilities.
4: Tunnels? I haven’t yet come across any low-end router with tunneling capabilities but mid-range to high-end routers with telnet bug / weak passwords, do have this capability. Would anyone ever attempt redirecting the traffic?
A Network Diagram will be uploaded.
—[ The Proof ]
Screen-shot from affected system:
Screen-Shot from a non-affected system
[UPDATE]
https://www.ipillion.com/ip/212.113.36.83 this IP has been tagged with loads of complaints.
[UPDATE]
This is the final post on DNS MITM topic. https://blog.escanav.com/?p=946
18 Comments
yatin
sachin.. this is whats happening to me right now.. i cannot access microsoft.com, yahoo, linkedin from my desktop.. but i can using my laptop which is connected to the same mtnl router.. how do i fix this ? cannot bring up the router page from both.
R Sachin
Hi yatin,
The disclosure affects routers, hence whether you use a laptop or desktop you will face the same issue. In your case this is not so.
Consider, scanning your desktop for Virus/Malware related issues and also request your support engineer to check for any hardware and other issues.
More Information about downloading and our other products:
http://escanav.com/english/
Regards
Sachin R.
Pingback: Disclosure : Router based DNS MITM Attack | Welcome to the eScan … | DNS Internet
Jagjot
I was having trouble with microsoft and bing… i kinda wondered where the attack was originating when a clean install didnt remove my apparent selective browser hijack. I was just about to use a 4.2.2.2 dns to check when i ran into this blog.
This means another call to airtel for the username and password for the connection. wish i had saved it the first time around 🙁
If i understand correctly this should only affect PPPoA configs right? with the pppoe config the dns config should be behind the windows or a 3rd party firewall…
Pradeep
I am also facing the same issue. Even after doing a complete check from AVG and eliminating all viruses, trojans, am still unable to access the websites identified. Any solution for this?
Many have posted the problem here. Its very recent and spreading!!
http://www.ipillion.com/ip/212.113.36.83
Nikhil
hi sachin ,
i am having the same problem . i tried to open yahoo site with another router and it opened but it is not so with mine . first can you explain me in detail what has happened and hot to fix this one . (new to these things ….)
Pingback: Cannot connect to update.microsoft.com or microsoft download servers - Page 2
R Sachin
@Jagjot: Not necessary . Any CPE which has a login console and allows addition of a DNS server is at risk .
@Pradeep:
Resolution for this problem has been explained in the blogpost.
Additionally – configure your router to allows Remote access to console only from a specific internal lan IP. comes under ACL in some routers.
Alternatively, disable DHCP and use Static IP Adddress with Static DNS server IP of a known server eg. 8.8.8.8
@Nikhil: use nslookup to verify for usage of command view the Screen-Shot in this blogpost.
Regards
Sachin.
Bryan
Today is Monday and my uervse was set up this past Friday, I would not call myself a satisfied customer . Of course the technician that AT&T sent to do the install, knows how to hook up the wires and perform some very basic tests (he knew what ipconfig did but did not know how to use the switch /all)), he informed me that he had no training on the modem when I asked about port forwarding (I suspect he probably didn’t know what port forwarding was). The Motorola router is a big disappointment, I have been putzing around with it all weekend trying to get the port forwarding to work, it does not. I was going to try using my netgear dsl modem/router but suspected it would not work with the uervse, so I like the idea of setting up in passthrough mode tonight. The interface has been stripped down to the point to where it’s a one size fits all vanilla setup. They have restricted the functionality to where if you want to veer from their vanilla, you’re better off buying your own $30 router which has myriad more options, like Wireless Distribution System (WDS). I have had trouble with AT&T DNS in the past and had already been using static DNS entries. The majority of the time I could tracert faster to Google’s San Francisco routers faster than to AT&T in Atlanta, 150 miles away. I will try the passthrough tonight and we’ll see how it goes. One other issue I had with the modem that I haven’t seen mentioned here is the .ha redirect. During the setup phase, the first time you use your browser, it (the motorola router) redirects your home page (in my case google) to AT&T registration page. After the registration is successful, it does not go away and keeps taking you back to it. I could not go to google .com, annoying to say the least. I spent almost 2 hours fixing this in both Chrome and IE 9. My mother, who was playing angry birds on her iPhone at the time, had the redirect come up where the ads usually do inside angry birds. The AT&T tech support in Mombai have never heard of this redirect issue. Ya, right. Thanks for posting this site, good advice, cheers from the South. Rick
nikhil
sachin a gr8 article and very helpful……
keep it up bro.
JPS
I think using OpenDNS servers can save the router. And I agree that DHCP should be disabled within Router.It enhances the security. better to use odd series for internal LAN like 192.168.253.1.
Mani
Well Rick,As long as it works, I don’t care who my peroidvr is. I moved to AT T since Comcast here kept raising their prices (they have an effective monopoly in San Francisco with speeds above 15Mbps).I guess in a year, I’ll move back.Good luck with the move. Ron
Rahul
Hi Sachin,
I was also facing the same issue and your post is very useful. I do not understand much of technical jargon but after discussing with MTNL triband support, I have specifed dns server and ip addresses instead of using the “automatic” setting. After doing this the problem seems to be resolved. Also I have changed my router password. I did not understand the point about “telnet” and “DeSOPA the firefox extension”. Basically I need to know if my connection is secure enough to start using credit cards online and if not, what else should I do? Also will this problem reoccur? It would be great if you reply with some simple instructions for a lay person like myself. Also kudos to you for raising this issue !!
R Sachin
@JPS : Thanks for mentioning OpenDNS – that is one great service. But Never use OpenDNS option provided within the modem. use it within your Operating system.
@nikhil : Thanks.
@Rahul:
re: DeSOPA – https://addons.mozilla.org/en-US/firefox/addon/desopa/
Every modem provides you with the feature to restrict access to its configuration i.e. Do you want to allow access to router’s config from Internet ? recommended answer = NO . so the only way is to provide access to the router’s config from a specific IP address on LAN .
Ask your system engineer he will guide you through this -/ ie. which option is where etc etc.
Will this problem re-occur ? 🙂 cant say much on this.
Regards
Sachin
Pingback: Exceptional – Botnets and Exploit Kits | Welcome to the eScan Blog
Pingback: DNSChange Botnet | Welcome to the eScan Blog
internetworksolutions.net@cisco bootcamp
I was also facing the same issue and your post is very useful. I do not understand much of technical jargon but after discussing with MTNL triband support, I have specifed dns server and ip addresses instead of using the “automatic” setting. After doing this the problem seems to be resolved.ccnp bootcamp
http://derangedfolks6540.soup.io
Une fois de plus un excellent post, je pense en discuter dans la semaine
avec mes voisins