Hackers exploiting Router vulnerabilities to hack Bank accounts through DNS Hijacking

by admin on Monday, February 10, 2014

 

 

  1873  483 Reddit284 Buffer2  168

In past months, we have reported about critical vulnerabilities in many wireless Routersincluding Netgear, Linksys, TP-LINK, Cisco, ASUS, TENDA and more vendors, installed by millions of home users worldwide.

Polish Computer Emergency Response Team (CERT Polska) recently noticed a large scale cyber attack ongoing campaign aimed at Polish e-banking users.

Cyber criminals are using known router vulnerability which allow attackers to change the router's DNS configuration remotely so they can lure users to fake bank websites or can perform Man-in-the-Middle attack.

'After DNS servers settings are changed on a router, all queries from inside the network are forwarded to rogue servers. Obviously the platform of a client device is not an issue, as there is no need for the attackers to install any malicious software at all.' CERT Polska researchers said.

That DNS Hijacking trick is not new, neither most of the router vulnerabilities are, but still millions of routers are not patched or upgraded to the latest firmware version.

The Domain Name System, or DNS, the Internet’s method of converting Web page names into IP address numbers can be hijacked just by changing the server address to a malicious DNS server from router's settings; and that which malicious DNS server should be in control of the hacker to facilitate interception, inspection and modification of the traffic between users and the online banking websites they wanted to target.

"It looks like criminals are primarily targeting e-banking users as they modify DNS responses for several banking domains, while resolving other domain names normally." they said.

Most of the Banking and E-commerce sites are using HTTPS with SSL encryption, making it impossible to impersonate them without a valid digital certificate issued by a Certificate Authority (CA), but to bypass such limitation cyber criminals are also using the SSL strip technique to spoof digital certificates. 

“While criminals intercept the unencrypted request, they simply modify links to clear HTTP, adding “ssl-“ String to a hostname, apparently in an attempt to fool casual users (Note that the nonexistent ssl-. hostnames would only be resolved by malicious DNS servers) While the connection is proxied through malicious servers, SSL is terminated before it reaches the user. Decrypted content is then modified and sent unencrypted to the customer.”

"In cases we have seen, they produced a self-signed certificate for thawte.com domain, which causes a browser to complain about both domain name mismatch and lack of a trusted CA in the certificate chain. This should be a clear indicator of the fraud for most users."

Demonstration of Exploitation:
Penetration tester and Computer Science Student, ABDELLI Nassereddine from Algerian, who reported previously about critical unauthorized access and password disclosure vulnerability in the TP-LINK Routers provided by Algerie Telecom, has also published the practical demonstration on 'How to Hack Victim's computer and accounts by hijacking Router's DNS server'.

To perform this, he used DNS Proxy tool 'Dnschef' and exploitation tools including Metasploit, webmitm and Burp Suite. Steps to follow:

• Install these tools and run following command:

./dnschef.py –interface 192.168.1.106 –fakeip 192.168.1.106 

(where interface is the original IP address and fakeip is the resolution of the DNS query)

• Run 'webmitm tool' that will handle the HTTP requests and responses and also forward the traffic to Burp Suite Proxy to inject an iframe of the Metasploit's Browser AUTOPWN Server.
• Launch the Bowser AUTOPWN module on Metasploit and get access.

Our readers can get detailed explanations of exploitation technique on the Nassereddine's blog.

How to Protect?
Now that you know how hackers can target routers to mess up the internet connection or even steal banking, Facebook, Google passwords, the next best thing to do is to secure your own routers:

• Change the default username and password.
• Update the Router's firmware to latest patched version.
• Users can spot fake sites by pay attention to the browser’s address bar and HTTPS indicators.
• Disable Remote Administration feature, especially from WAN. The router should be configurable only from the local network or LAN.

Largest Ever 400Gbps DDoS attack hits Europe uses NTP Amplification

by admin on Tuesday, February 11, 2014

 

 

  1255  511 Reddit715 Buffer6  136

The Distributed Denial of Service (DDoS) attack is the one of favourite weapon for the hackers to temporarily suspend services of a host connected to the Internet and till now nearly every big site had been a victim of this attack.

Since 2013, Hackers have adopted new tactics to boost Distributed Denial of Service attack sizes, which is known as ‘Amplification Attack’, that provide the benefits of obscuring the source of the attack, while enabling the bandwidth to be used to multiply the size of the attack.

Just yesterday, hackers have succeeded in reaching new heights of the massive DDoS attack targeting content-delivery and anti-DDoS protection firm CloudFlare, reaching more than 400Gbps at its peak of traffic, striking at the company’s data servers in Europe.

“Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating,” CloudFlare CEO Matthew Price said in a tweet. “Someone’s got a big, new cannon. Start of ugly things to come,”

This massive DDoS attack was greater than ever in history of the Internet, and larger than previous DDoS record-holder Spamhaus DDoS attack i.e. 300Gbps, that almost broke the Internet.

Attackers leveraged weaknesses in the Network Time Protocol (NTP), which is used to synchronize computer clocks, but hackers are abusing the NTP servers by sending small spoofed 8-byte UDP packets to the vulnerable server that requests a large amount of data (megabytes worth of traffic) to be sent to the DDoS's target IP Address.

The frequency of NTP reflection attacks has grown in recent months. While researchers have long-predicted that NTP might someday become a great vector for DDoS attacks and ideal DDoS tool, and the trend has recently become popular, causing an issue for some gaming websites and service provider.

Recently, The US-CERT issued an alert warning, listed certain UDP protocols identified as potential attack vectors for Amplification Attack, including DNS, NTP, SNMPv2, NetBIOS, SSDP ,CharGEN, QOTD, BitTorrent, Kad, Quake Network and Protocol Steam Protocol.

As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publicly accessible to at least 4.2.7. Until all themisconfigured NTP servers are cleaned up, attacks of this nature will continue.

Update: The CloudFlare team has released more technical details on the above 400Gbps NTP amplification DDoS Attack. Hackers abused 4295 vulnerable NTP server, running on 1,298 different networks.

The Spoofed UDP packet was amplified 206-times larger than the request by exploiting MONLIST command  vulnerability on open ntpd servers. "An attacker with a 1Gbps connection can theoretically generate more than 200Gbps of DDoS traffic."

That means, Just by using 2Gbps Internet Connection and exploiting 4,529 NTP servers, Hacker DDoSed websites with 400Gbps bandwidth. "On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare's network." they said.

CloudFlare has also release a list of all Networks with Naughty NTP Servers Used in DDoS Attack, rather than publishing the complete list of IP addresses. ,"At this time, we've decided not to publish the full list of the IP addresses of the NTP servers involved in the attack out of concern that it could give even more attackers access to a powerful weapon."

Earn Online Income Free Registration

Only Click On This Link

 tasktojob.com

Malware attack hits thousands of Yahoo users per hour 

Around 2.5 million Yahoo users were infected with the malicious software after the hackers seized a few advertisements of the company and used those to attack the web surfers. As per the report of the cyber security firm Fox IT to the breach, some of the advertisements were viewed by the clients from the period of 30^th December to 2^nd January were malware infected. CNET also explains that the users who opened the pages with the ads were then redirected to those sites, which install those malware onto their PCs, even if they didn’t open the advertisement.

According to an estimation made by Fox IT, around 27,000 computers of the Yahoo clients were infected on every hour over that 4 day period.

On the basis of the sample of the traffic they estimated that around 300k people had visited that malicious site. Provided the distinctive infection rate of 9%, it would lead to approx 27000 infections per hour.

As per the security company SurfRight, the score was around 2.5 million users in total. Where FoxIT explained that the American users probably were not vulnerable to that breach.

On the basis of the same sample, it was reported that the countries which were most exploited by that exploit kit are Great Britain, France and Romania. During this time, it was unclear why all those countries were so much affected, may be it is because of the configuration of those malicious advertisements on this search engine.

Surprisingly, Yahoo responded the minimum to this incident. It issued one statement on Saturday, January 4^th acknowledging the problem, but it didn’t offer any detailed account of that episode.

According to the information offered by this company, it takes the privacy and the safety of the users very seriously. Recently, this company has identified one ad, which was designed to spread malicious activities to several users of Yahoo. The company removed that immediately and continued to monitor and block the ads which were used for this type of activity.

CNET added that the company has provided some more information on Sunday and according to that, on January 3^rd, this company had served some advertisements on its European sites which didn’t follow the editorial guidelines of that company and particularly, they were malicious. The company removed those ads on time. The users in Latin America, North America and Asia Pacific were not offered those ads and as a result they were not affected. Moreover, the users of mobile devices and Macs were not affected too.

It’s great to hear that spreading the malicious software are not in the editorial guidelines of Yahoo but it generates the curiosity level that what was the actual matter and how worried the infected users need to be. At last, Yahoo updated their statement by adding that the malware infections were started on 30^th December 2013.

Some more details came from SurfRight. This company published an explanation of the malware types available in the ads, as recognized by Fox IT. SurfRight also added that the users were prone to click the fraud malware which runs numerous processes to open the web pages with the ads owned by the affiliate ID of criminals. Other malware allow the backdoor access to the users computers and thus those remote control the computers, block websites, steel the usernames and passwords and many more. The security company also explained that the mainly the users with older machines were hit.

But it doesn’t mean that every ad of this network comes with the malicious iframe, but the computer that has an outdated version of Java Runtime and if the user uses Yahoo mail there for the last 6 days, then the computer can be affected. Besides, the reports also revealed that the malware was also spreading through the ads posted in Yahoo messenger. So, it is advisable to scan your computer for the malware if you are using any services of Yahoo.

It is not the first time when this company is in the spotlight for shoddy security. Way back in November, Yahoo was reported to be one of those kept under surveillance by the NSA, after previously having reported that the company was refusing the federal requests for the user data. But Yahoo is not the only company, Twitter and Google was also hacked by the botnets, in the recent time Facebook was accused of checking the private messages of the readers and Hulu was accused of allocating the information with Facebook. So, welcome to this new normal.