A wave of DNS hijacking attacks that abuse Google's cloud computing service is causing consumer routers to connect to fraudulent and potentially malicious websites and addresses, and security researcher has warned.
By now , most people know that Domain Name System servers translate human-friendly domain names into the numeric IP addresses that need computers to find other computers on the Internet. Over the past four months, attackers have been using Google cloud service to scan the Internet for routers that are vulnerable to remote exploits. When they find susceptible routers, the attackers then use the Google platform to send malicious code that configures the routers to use malicious DNS servers.
Troy Mursch the independent security researcher who published Thursday's post, said the first wave hit in late December. The campaign exploits vulnerabilities in four models of D-Link routers, including:
The exploits gave attackers control over routers that hadn't been patched. The attackers would then use the DNS server at 66.70.1
A second wave in early February targeted the same vulnerable D-Link routers, only this time it is used to use a rogue DNS server at 18.104.22.168, and a different OVH IP address. According to Twitter user parseword most of the DNS requests were then redirected to two IPs, one allocated to a crime-friendly hosting provider (AS206349) and the other pointing to a service that monetizes parked domain names (AS395082
The third and last-known wave occurred last week. It came from three distinct Google Cloud Platforms and targeted additional consumer router models including the ARG-W4 ADSL, DSLink 260E, and those from Secutech and TOTOLINK. The rogue DNS servers used in the latest round, 22.214.171.124 and 126.96.36.199, are both hosted in Russia by Inoventica Services, with Internet access provided by subsidiary Garant-Park-Internet Limited (AS47196).
At the time The last batch of rogue DNS servers was still operating. The DNS servers from the previous waves, were added, were no longer operating. While the attacks abused services from a variety of providers, Mursch said Google's cloud service stood out.
"It's not meant to be a Google hit piece," the researcher said of Thursday's post. "But it's so easy to abuse their platform. You sign up for an account and boom. It's really that easy." He said Google will eventually terminate service once the company receives reports of the abuse, but it often takes time and effort before that happens. Ars asked Google representatives for comment and will update this post if they respond.
Mursch said he hasn't yet investigated exactly what domains are spoofed in the attacks. One of the best-known DNS hijacking campaigns came to light in 2012 under the name DNS Changer and generated millions of dollars in fake advertising revenue at steering 500,000 computers to fake addresses. Rogue DNS server schemes have also been used to serve malicious ads and direct people to fake banking sites.
The best way for people to protect themselves against these kinds of attacks is to ensure their routers are running the latest firmware. All four of the D-Link vulnerabilities under attack were fixed years ago, but many people never go through the hassle of manually installing the patches. It's also a good idea to periodically inspect router configurations to make sure DNS settings are OK. Cloudflare's free DNS service 188.8.131.52 is a good bet. It's never a bad idea to also configure the operating system of each device to use a DNS server such as 184.108.40.206, but Mursch warned that sometimes malicious changes made to hacked routers can override those OS configurations.