DNS settings modified to malicious servers...
FYI...
When Networks Turn Hostile ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/when-networks-turn-hostile/
May 20, 2014 - "We’ve previously discussed how difficult it is to safely connect to networks when on the go... many holiday lodges and hotels today have made Wi-Fi access an integral part of their offered amenities... it is easy to take secure Internet access for granted... using the provided Internet access, the Facebook app on my smartphone refused to connect. Other apps and websites worked fine, however. Trying to access Youtube using the mobile browser resulted in this:
Fake Youtube alert:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/router1.png
Obviously, the above warning made no sense on an Android device. What would happen if I tried to access Facebook on a PC, then? The same issue occurred – and an off-guard user might not find it suspicious at all:
Fake Facebook alerts:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/router2.png
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/router-2a.png
If the user actually clicked the OK button on either of the two messages the following pages would appear:
Fake Internet Explorer update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/140520comment04.jpg
Fake Adobe Flash Player update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/140520comment05.jpg
... Clicking on any part of the site results in a malicious file, detected as TSPY_FAREIT.VAOV, being downloaded and run on the affected system. FAREIT malware is typically used to download other threats onto an affected system. So, how was this done? A little investigation found that the DNS settings had been -modified- so that DNS queries went to a malicious server, that redirected users... The router of the network was a TP-Link TD-W8951ND all-in one modem/router, which combined a DSL modem and a wireless router in just one device. However, this router contains a fairly serious vulnerability: an external user can access the page where the router’s firmware can be upgraded or backed up. However, this firmware file can be easily decoded; once decoded it contains the root password in the very first line... The list of targeted sites was fairly extensive, with more than 600 domains being targeted. Some of the sites targeted (aside from Facebook and Yahoo) include Ask, Bing, Google, Linkedin, Pinterest, and SlideShare. All of these sites used the .com top-level domain...
How do you prevent yourself from becoming a victim of this attack? One suggestion is to explicitly use public DNS servers, such as those of Google (8.8.8.8 and 8.8.4.4). This can usually be done in the operating system’s network settings, and is applicable to both mobile and non-mobile systems... [or OpenDNS 208.67.222.222 and 208.67.220.220]* ... Two settings can also help in reducing the risks from these attacks: first, port 80 should be forwarded to a non-existent IP address. In addition, the web management interface of the router should not be accessible from the WAN side of the network."
* https://store.opendns.com/setup/
___
Multiple Vulnerabilities in SNMP ...
- http://atlas.arbor.net/briefs/
High Severity
May 23, 2014
"... these devices are considered end-of-life, they will likely not receive firmware upgrades addressing these security issues. Metasploit exploit code for these vulnerabilities is available. Attackers often make use of available exploit code for known vulnerabilities to target vulnerable systems..."
Disable SNMP wherever possible, ASAP.
- https://www.grc.com/port_161.htm
"... If our port analysis ever shows that a router (for example) or other network device exposed to the Internet has its SNMP interface open you will want to arrange to disable and close that port immediately..."
Related Ports: https://www.grc.com/port_23.htm
:fear::fear:
FYI...
When Networks Turn Hostile ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/when-networks-turn-hostile/
May 20, 2014 - "We’ve previously discussed how difficult it is to safely connect to networks when on the go... many holiday lodges and hotels today have made Wi-Fi access an integral part of their offered amenities... it is easy to take secure Internet access for granted... using the provided Internet access, the Facebook app on my smartphone refused to connect. Other apps and websites worked fine, however. Trying to access Youtube using the mobile browser resulted in this:
Fake Youtube alert:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/router1.png
Obviously, the above warning made no sense on an Android device. What would happen if I tried to access Facebook on a PC, then? The same issue occurred – and an off-guard user might not find it suspicious at all:
Fake Facebook alerts:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/router2.png
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/router-2a.png
If the user actually clicked the OK button on either of the two messages the following pages would appear:
Fake Internet Explorer update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/140520comment04.jpg
Fake Adobe Flash Player update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/140520comment05.jpg
... Clicking on any part of the site results in a malicious file, detected as TSPY_FAREIT.VAOV, being downloaded and run on the affected system. FAREIT malware is typically used to download other threats onto an affected system. So, how was this done? A little investigation found that the DNS settings had been -modified- so that DNS queries went to a malicious server, that redirected users... The router of the network was a TP-Link TD-W8951ND all-in one modem/router, which combined a DSL modem and a wireless router in just one device. However, this router contains a fairly serious vulnerability: an external user can access the page where the router’s firmware can be upgraded or backed up. However, this firmware file can be easily decoded; once decoded it contains the root password in the very first line... The list of targeted sites was fairly extensive, with more than 600 domains being targeted. Some of the sites targeted (aside from Facebook and Yahoo) include Ask, Bing, Google, Linkedin, Pinterest, and SlideShare. All of these sites used the .com top-level domain...
How do you prevent yourself from becoming a victim of this attack? One suggestion is to explicitly use public DNS servers, such as those of Google (8.8.8.8 and 8.8.4.4). This can usually be done in the operating system’s network settings, and is applicable to both mobile and non-mobile systems... [or OpenDNS 208.67.222.222 and 208.67.220.220]* ... Two settings can also help in reducing the risks from these attacks: first, port 80 should be forwarded to a non-existent IP address. In addition, the web management interface of the router should not be accessible from the WAN side of the network."
* https://store.opendns.com/setup/
___
Multiple Vulnerabilities in SNMP ...
- http://atlas.arbor.net/briefs/
High Severity
May 23, 2014
"... these devices are considered end-of-life, they will likely not receive firmware upgrades addressing these security issues. Metasploit exploit code for these vulnerabilities is available. Attackers often make use of available exploit code for known vulnerabilities to target vulnerable systems..."
Disable SNMP wherever possible, ASAP.
- https://www.grc.com/port_161.htm
"... If our port analysis ever shows that a router (for example) or other network device exposed to the Internet has its SNMP interface open you will want to arrange to disable and close that port immediately..."
Related Ports: https://www.grc.com/port_23.htm
:fear::fear:
Last edited: