GhostDNS Campaign Targets Brazilian Banks and Customers

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Yadu Nadh
TLP: WHITE
 

Overview

On 26 January, Team Cymru posted an update to their analysis of the GhostDNS exploit kit.1,2 Their report detailed an ongoing GhostDNS campaign that targets unsuspecting users by compromising and changing the DNS of their router to deliver phishing websites. NetLab has also reported on this campaign.3

Customer Impact

GhostDNS is an exploit kit that threat actors can use to change DNS settings to route victim requests for certain websites to phishing pages on malicious servers.4 Requests for other sites use a secondary, usually public, server such as Google’s public DNS server. This feature allows threat actors to avoid detection for long periods of time.

Campaign Analysis

This campaign targets more than 70 different types of routers with weak passwords or unpatched vulnerabilities to redirect victims to phishing websites that steal user credentials. The threat actor appears to be targeting Brazilian banks located in Brazil and Argentina, and their customers.

Attack Chain

In this campaign, the threat actor scans the internet for vulnerable routers and uses known vulnerabilities or guesses passwords to gain access. They may also bypass the authentication through the dnscfg.cgi exploit.

Once they have gained access, the threat actor then changes the router’s DNS configurations to an actor-controlled Rogue DNS server via the DNS configuration interface.

When the victim queries a specific domain, the Rogue DNS server redirects them to a phishing domain that the actor can use to steal the victim’s credentials or lure them into downloading and executing malware.

Vulnerabilities & Mitigation

This campaign targets routers that are misconfigured or unpatched. Infoblox recommends the following actions to reduce the risk of this type of infection:

  • Keep routers up-to-date with the latest security patches to block known vulnerability.
  • Configure the router with strong username and password.
  • Do not enter credentials without verifying the source

Endnotes

  1. https://team-cymru.com/blog/2021/01/26/illuminating-ghostdns-infrastructure-part-3/
  2. https://team-cymru.com/blog/2020/09/08/illunimating-ghostdns-infrastructure-part-1/
  3. https://blog.netlab.360.com/70-different-types-of-home-routers-all-together-100000-are-being-hijacked-by-ghostdns-en/
  4. https://decoded.avast.io/simonamusilova/ghostdns-source-code-leaked/

 

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×