From:
https://www.theregister.co.uk/2018/10/02/ghos...

100,000 home routers recruited to spread Brazilian hacking scam
GhostDNS in the machine

By Richard Chirgwin 2 Oct 2018 at 06:30

A DNSchanger-like attack first spotted in August on D-Link routers in Brazil 
has expanded to affect more than 70 different devices and more than 100,000 
individual piece of kit.

Radware first identified the latest campaign, which started as an attack on 
Banco de Brasil customers via a DNS redirection that sent people to a cloned 
Website that stole their credentials.

Now, Quihoo's Netlab 360 folk have warned that the attack, which they've 
dubbed GhostDNS, is "starting to ramp up its effort significantly with a whole 
bunch of new scanners."

The attackers were trying to get control of the target machines either by 
guessing the web admin password, or through a vulnerable DNS configuration CGI 
script (dnscfg.cgi). If they get control of a device, they change the router's 
default DNS server to their own "rogue" machine.

Netlab 360's post added that as well as redirecting a victim's default DNS, 
the GhostDNS campaign uses three DNSChanger variants running as a shell, a 
JavaScript program, or a Python program.

But wait, there's more, the post said: "The GhostDNS system consists of four 
parts: DNSChanger module, Phishing Web module, Web Admin module, Rogue DNS 
module."

The shell DNSChanger module works on 21 router models, the post said; the 
JavaScript module can infect six models; and the Python version has been 
installed on 100 servers, mostly on Google's cloud.

At this stage, the post said, the redirection campaign is heavily weighted 
towards Brazilian Websites, nearly 88 per cent of the compromised devices are 
also in Brazil, and the rogue DNS servers operated on Hostkey, Oracle, 
Multacom, Amazon, Google, Telefonica, Aruba, and OVH.

Compromised kit has also been spotted in Bolivia, Argentina, Saint Maarten, 
Mexico, Venezuela, the US, Russia and a few others.

OVH, Oracle and Google have kicked the attackers off their infrastructure, and 
the post said others are "working on it".

Vendors the Netlab 360 researchers have also listed 3Com*, A-Link, 
Alcatel/Technicolor, Antena, C3-Tech, Cisco, D-Link, Elsys, Fiberhome, 
Fiberlink, Geneko, Greatek, Huawei, Intelbras, Kaiomy, LinkOne, MikroTik, MPI 
Networks, Multilaser, OIWTECH, Perfect, Qtech, Ralink, Roteador, Sapido, 
Secutech, Siemens, Technic, Tenda, Thomson, TP-Link, Ubiquiti, Viking, ZTE, 
and Zyxel as vulnerable (* Yes, we know 3Com is a name long gone from the 
shelves; The Register speculates that since the vendor list is compiled by 
querying the compromised device, 3Com's name survives in some HP devices' 
firmware).

The Russian-authored Wive-NG router firmware has also been exploited, the post 
said.

Later,
Sean

... Those who trade liberty for security have neither.
--- GoldED+/LNX 1.1.5-b20170303
 * Origin: Outpost BBS * Limestone, TN, USA (618:618/1)