Search This Blog

Showing posts with label DNS Hijacking vulnerability. Show all posts

Home Routers Hijacked to Deliver Info-Stealing Malware 'Oski'


The spread of malware through apps being downloaded by users in the name of 'the latest information and instructions about COVID-19' is amongst one of the most prevalent threats that have been observed since the outbreak of the novel Coronavirus. As a result, users were forced to download apps such as COVID19Tracker or Covid Lock from a website, the app locked victims outside their smartphones and asked for a ransom of $100 in Bitcoin for the release of their data. Consequently, attackers threatened them to leak all their contacts, media, and social media accounts online in case they failed to pay the ransom in due time.

Users are being severely targeted amid the COVID-19 themed malware and data exploit attacks, another example resides in the discovery of a new type of attack that is targeting home routers. It redirects victims to an infected website after altering the DNS settings and then drops a file-encrypting malware 'Oski' that encrypts the important files on a victim's system. It employs a sophisticated algorithm to encrypt the files and append .Osk extension to each file. After successfully carrying out the encryption process, the malware leaves a ransom note in all the folders containing encrypted, reading, "HOW TO RECOVER ENCRYPTED FILES.TXT.'

"To make the file seem legitimate (as if the filename is any indication of legitimacy), attackers named it “runset.EXE”, “covid19informer.exe”, or “setup_who.exe”." states the Bitdefender's report on the subject.

Attackers with the malicious intent of compromising the routers go around the internet searching for the exposed home routers that are consequently subjected to 'password brute-forcing attack' with DNS IP settings being altered alongside.

DNS is an internet service that plays a crucial role in translating domain names to IP addresses and as it assists browsers in loading internet resources if the cybercriminals alter the DNS IP address from a vulnerable router they are meaning to attack, they resolve the victim's request to any website under their control. The targeted domains in this campaign include aws.amazon.com, tidd.ly, goo.gl, bit.ly, fiddler2.com, washington.edu, winimage.com, imageshack.us, ufl.edu, disney.com, cox.net, xhamster.com, pubads.g.doubleclick.net and redditblog.com. As per sources, most of the aforementioned routers that made to the attacker's target list are based in France, Germany, and the US.

"It’s recommended that, besides changing the router’s control panel access credentials (which are hopefully not the default ones), users should change their Linksys cloud account credentials, or any remote management account for their routers, to avoid any takeovers via brute-forcing or credential-stuffing attacks," Bitdefender warns.

Metasploit and Rapid7 DNS hijacked and Defaced by Kdms Team


The domains of Metasploit.com and its parent company rapid7.com had been hijacked and defaced by the Kdms Team.  They had previously also had taken down down several high profile computer security related targets.


Mr. HD Moore (Chief Research Officer of Rapid7 and Chief Architect of Metasploit) told EHN how the domain was hijacked.





And when asked if the Domains were back in their control he said "yes" and explained why some people are still seeing the deface page.



Please note that a DNS attacks DOES NOT affect the server of the hacked site in anyway. Anybody could fall victim to it . The blame belongs to the Registrar not Rapid7.


This shows how even if you have the strictest security mechanisms there is always a "weak spot" that could be exploited and more often than not it is the "Human" element that is weakest. 

DNS Hijacking vulnerability found in 000webhost and other free hosting sites

Last month, we learned that hackers hacked the Pakistani google and other sites by hijacking DNS records.  Hackers modified the DNS records such that it points to freehostia site where attacker host the deface page.

Now, An Indian Security researcher Aarshit Mittal come with an interesting find , he has discovered critical DNS hijacking vulnerability in popular free web-hosting providers. The vulnerability allows attackers to take control of the websites hosted.

Aarshit has demonstrate how to exploit the vulnerability in his blog.  Attacker need to create an account in the target web hosting provider. He has explained the vulnerability with 000webhost.com.

Once you created the account, you should login into the CPanel where you can see the Shared IP address. Searching for that IP address with some keywords in Bing returns the sites hosted in that specific IP. 


Interestingly, Aarshit managed to find some government sites(csirt.gov.bd) that has been hosted in the 000webhost.  

After discovering the list of sites hosted , attacker can add those domain names to 'parked domains' in the CPanel. The CPanel successfully allowed him to add the domain name.

Now hacker just need to upload defacement page to his hosting account. Boom.! Now you can see the defacement page in the victim site. Also you can create lot of sub domains in the hijacked domains.

By exploiting this security flaw, researcher successfully hijacked the following domain:

  • test.fraymamertoesquiu.gov.ar
  • test.concejodeitagui.gov.co
  • dns.hviota.gov.co
  • test.digitizeyou.in
  • men.csirt.gov.bd
  • bd.csirt.gov.bd
A malicious hacker can hijack millions of sites hosted in free webhosting sites.  Aarshit try to contact affected companies, but they failed to respond for him.

List of affected sites:

  • www.freehostia.com/
  • www.freewebhostingarea.com/
  • x10hosting.com/
  • www.110mb.com/

Not only these sites are affected, there are plenty of free hosting server affected by this vulnerability.