Hackers compromise 300,000 SOHO routers and changed DNS to redirect to attacker site

A security researchers at Team Cymru have uncovered a Pharming attack campaign targeting Small office and Home office(SOHO) routers.  So far, more than 300k SOHO routers have been compromised.

The hackers altered DNS settings  to use IP addresses '5.45.75[.]11' and '5.45.75[.]36' on the compromised devices in an effort to redirect the victim to attacker's website.

Most of the compromised devices are from Vietnam.  India is also to be one of the top countries affected by this campaign.  Other affected countries are including Italy, Thailand, Indonesia, Ukraine, Turkey, Colombia.

The affected routers are from number of manufacturers including Micronet, Tenda, D-Link, TP-Link.  Researchers say that affected devices are vulnerable to multiple exploits including CSRF attack, vulnerability in ZyXEL firmware.

The vulnerability in ZyXEL's ZynOS was discovered by researcher back in January which allows attacker to directly download the routers configuration file http://[IP Address]/rom-0.

So far, the attackers didn't seem to have abused the compromised devices.  But, the attack is similar to the attack against a number of Poland's banks.  In which, the attacker changed the DNS configuration in order to steal Online Banking login credentials.