Stefan Tanase, principal security researcher at Ixia, told Ars that the DNS servers described in this article were taken down and the attackers replaced them with new DNS servers. Ixia analyzed the rogue DNS server and found that it targets the following domains: GMail.com, PayPal.com, Netflix.com, Uber.com, caix.gov.br, itau.com.br, bb.com.br, bancobrasil. com.br, sandander.com.br, pagseguro.uol.com.br, sandandernet.com.br, cetelem.com.br, and other possible sites. People trying to reach one of these domains from an infected router will be connected to a server that serves its own pages over plain HTTP.
Below is how cetelem.com.br appears in Firefox on a machine configured to use one of the malicious DNS servers.
On Friday afternoon, a Google representative emailed the following statement:
We have suspended the fraudulent accounts in question and are working through established procedures to identify any new ones that appear. We have procedures in place to detect and remove accounts that violate our terms of service and acceptable use policy, and we take action on accounts when we detect abuse, including suspending the accounts in question. These incidents highlight the importance of practicing proper security cleaning, including patching the router’s firmware as soon as a fix is available.
What follows is this article as it appeared on Thursday, 4/4/2019, 2:59 PM:
A wave of DNS attack attacks exploiting Google’s cloud computing service is causing user routers to connect to fraudulent websites and malicious addresses, a security researcher has warned.
By now, most people know that Enterprise Name System Servers translate human-friendly domain names into numerical IP addresses that computers need to find other computers on the Internet. Four months ago, we blog post published Thursday said, attackers have been using Google cloud services to scan the Internet for users who are vulnerable to remote exploits. When they find susceptible routers, the attackers then use the Google platform to send malicious code that configures the routers to use malicious DNS servers.
Troy Mursch, an independent security researcher who published Thursday’s post, said the first wave hit in late December. The campaign exploits vulnerabilities in four models of D-Link routers, including:
The exploits give attackers control over unsecured routers. Attackers will use their control to configure routers to use the DNS server at 18.104.22.168, the IP address provided by the OVH host.
The second wave in early February targeted D-Link routers with the same vulnerability, this time causing them to use a rogue DNS server at 22.214.171.124, a different OVH IP address. According to Twitter user parsewordMost DNS queries are then directed to two IPs, one assigned to a criminal-friendly hosting provider (AS206349) and the other pointing to a service that monetizes parked domain names (AS395082).
The third and last known wave occurred last week. It comes from three different Google Cloud Platform hosts and targets additional consumer router models including the ARG-W4 ADSL, DSLink 260E, and those from Secutech and TOTOLINK. The rogue DNS servers used in the latest round, 126.96.36.199 and 188.8.131.52, are both hosted in Russia by Inoventica Services, with Internet access provided by subsidiary Garant-Park-Internet Limited (AS47196).
At the time this post was written, the last batch of rogue DNS servers were still active, Mursch told Ars. DNS servers from previous waves, he added, no longer work. While the attackers exploited services from many providers, Mursch said Google’s cloud service stood out.
“It’s not meant to be something that offends Google,” the researcher said of Wednesday’s post. “But it’s very easy to abuse their platform. You sign up for an account and boom. It’s very easy.” He said Google will terminate the service once the company receives reports of abuse, but it often takes time and effort before that happens. Ars asked Google representatives for comment and will update this post if they answered.
Mursch said he has not yet investigated exactly what domains were spoofed in the attacks. One of the most famous DNS hijacking campaigns came to light in 2012 under the name DNS Changer and generated millions of dollars in fake advertising revenue by redirecting 500,000 computers to fake addresses. Rogue DNS server schemes have also been used to securely serve malicious ads and direct people to fake banking sites.
The best way for people to protect themselves against these types of attacks is to make sure their routers are running the latest firmware. All four D-Link vulnerabilities came under attack years ago, but most people don’t go through the trouble of manually applying patches. It’s also a good idea to periodically check the router’s settings to make sure the DNS settings are correct. Cloudflare’s free DNS service 184.108.40.206 is a good bet. It’s not a bad idea to reconfigure each machine’s operating system to use a DNS server like 220.127.116.11, but Mursch warns that sometimes malicious changes made to hacked routers can change the OS’s settings.