Hackers hijacking home routers to direct people to malicious coronavirus app
The attackers are changing DNS settings on Linksys routers to redirect users to a malicious website promising an informative COVID-19 app, says security provider BitDefender.
Cybercriminals have been exploiting COVID-19 for their own malicious purposes. Coronavirus-themed emails are being deployed to ensnare people curious or anxious about the virus. Phony coronavirus maps are being created with malware as the payload. And as more people work from home, a new type of attack is targeting home routers to spread a malicious coronavirus-themed app, according to a blog post published Wednesday by BitDefender.
In its blog post “New Router DNS Hijacking Attacks Abuse Bitbucket to Host Infostealer,” BitDefender describes how this latest threat works and how people working from home can protect themselves against it.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
After gaining administrative access to a home router, the hackers change the DNS settings that translate between IP addresses and domain names. In this case, the new DNS settings redirect you to a website that claims to be from the World Health Organization, an agency that’s been the victim of many spoofs and attacks lately.
The site displays a Download button for an app promising information and instructions about the coronavirus. Instead, downloading the file infects you with the Oski infostealer, a nasty piece of malware that aims to steal browser passwords, cryptocurrency data, and login credentials from the Windows Registry and SQL databases.
The tactic is especially deceptive. With the phony DNS settings, unsuspecting users believe they’re browsing to a legitimate and correct website and not a site created and controlled by the attackers. Further, the criminals store the malicious payload via Bitbucket, a web-based repository hosting service. They hide that payload by abusing the URL-shortener service TinyURL so you can’t easily detect it.
At this point, the attacks are mostly targeting Linksys routers, most likely by brute forcing the credentials required for remotely managing the router. However, some tech news sites are saying that D-Link routers are also being targeted. The IP addresses for the DNS servers are changed to 126.96.36.199 and 188.8.131.52. The affected domains include the following:
Browsing to one of these domains redirects you to an IP address of 184.108.40.206, 220.127.116.11, or 18.104.22.168. At that point, a message appears prompting you to download the COVID-19 Inform app. Doing so then delivers the malicious payload.
SEE: Managing remote workers: A business leader’s guide (free PDF) (TechRepublic)
Based on its analysis of the BitBucket repositories, BitDefender pegged the number of potential victims at around 1,193 just over the past couple of days. However, the firm found four such repositories, which suggests the number of people caught in this trap could be higher. So far, people in the US, Germany, and France make up almost 75% of the total. The number of victims is also likely to increase, especially if the hackers set up even more repositories.
To protect yourself and your home router from this type of compromise, BitDefender offers the following advice, especially for those with Linksys routers:
- Change your credentials. Beyond changing the login credentials for your router’s control panel (which hopefully aren’t the default ones), you should change your Linksys cloud account credentials and those for any remote management account for your router. The goal is to avoid any account takeovers via brute force or credential-stuffing attacks.
- Update your firmware. Make sure your router’s firmware is always up to date as that prevents attackers from exploiting unpatched vulnerabilities to take over the device.
- Use security software. Make sure all of your devices have a security solution installed that can prevent you from accessing phishing or fraudulent websites and from downloading and installing malware.