Security News Russian Hackers Exploiting Home and Small-office Routers in Massive DNS hijacking Attack

Parkinsond

Parkinsond

Level 63
Thread author
Verified
Top Poster
Well-known
Dec 6, 2023
5,090
15,401
6,169
Content source
https://cybersecuritynews.com/russian-hackers-exploiting-routers/
The attack chain begins with Forest Blizzard gaining unauthorized access to poorly secured SOHO routers and silently modifying their default network settings. Specifically, the actor replaces the router’s legitimate DNS resolver configuration with actor-controlled DNS servers.

Since endpoint devices, such as laptops, phones, and workstations, automatically inherit network configuration from routers via the Dynamic Host Configuration Protocol (DHCP), every device connecting through a compromised router unknowingly begins forwarding its DNS requests to Russian intelligence-controlled infrastructure.
Click to expand...
This is a good reason to set your dns provider in your OS or browser in addition to your router to avoid DNS hijacking when the router is compromised.
cybersecuritynews.com

Russian Hackers Exploiting Home and Small-office Routers in Massive DNS hijacking Attack

A large-scale campaign by Forest Blizzard, a Russian military-linked threat actor, targeting home and small-office routers to hijack DNS traffic and intercept encrypted communications with over 200 organizations and 5,000 consumer devices already compromised.
cybersecuritynews.com cybersecuritynews.com
Click to expand...
 
  • Like
Reactions: Andy Ful, simmerskool and TairikuOkami
TairikuOkami said:
I would not trust my ISP controlled router with anything, it has ~5 years old firmware and probably uses Password123. 😂
Click to expand...
Regarding password, I always change the default one after getting the router.

It was optional to use ISP modem router or any one you choose to buy with ADSL; however, for getting fiber-optic internet, I must use the ONT router provided by ISP.
 
  • Wow
Reactions: simmerskool
More coverage from original security firm: Frostarmada forest blizzard dns hijacking
Inside that article the IOC DNS entries were provided:: IOCs/FrostArmada_IOCs.txt at main · blacklotuslabs/IOCs

Attack vector: Unknown. Only post intrusion DNS settings were recovered.

I checked my DNS settings, they were OK. Checked my firewall settings, they were OK. Checked my VLAN settings: they were OK. Admin password: 16 char random gibberish. DHCP: not used. I check for updates monthly as scheduled on my cell phone; last update this month. I have to be careful because I use a SOHO MikroTik router; one of brands that the adversaries targeted and 18000 is a lot of compromised routers.
 
Last edited:
  • Like
  • Thanks
Reactions: Wrecker4923 and Parkinsond
Victor M said:
More coverage from original security firm: Frostarmada forest blizzard dns hijacking
Inside that article the IOC DNS entries were provided:: IOCs/FrostArmada_IOCs.txt at main · blacklotuslabs/IOCs

Attack vector: Unknown. Only post intrusion DNS settings were recovered.

I checked my DNS settings, they were OK. Checked my firewall settings, they were OK. Checked my VLAN settings: they were OK. Admin password: 16 char random gibberish. DHCP: not used. I check for updates monthly as scheduled on my cell phone; last update this month. I have to be careful because I use a MikroTik router; one of brands that the adversaries targeted and 18000 is a lot of compromised routers.
Click to expand...
I do not check my router settings because I do not have the luxury of replacing even if not receiving firmware updates.
But I check MD exclusions daily.
 
Parkinsond said:
because I do not have the luxury of replacing
Click to expand...
I replaced mine because i had no choice, my last router was maybe compromised - snort IPS refused to start up. This one is cheap: $79, Ethernet only, no IPS. Lots of features though. firewall, VLAN, DHCP Snooping, Hotspot, isolation , monthly updates (so far)...
 
Last edited:
  • Like
Reactions: Parkinsond
Victor M said:
I replaced mine because i had no choice, my last router was maybe compromised - snort IPS refused to start up. This one is cheap: $79, no IPS. Lots of features though. firewall, VLAN, DHCP Snooping, Hotspot, isolation ...
Click to expand...
The only source for replacement for ONT router is the ISP; any third-party one would not work.
 
Parkinsond said:
The only source for replacement for ONT router is the ISP; any third-party one would not work.
Click to expand...
Oh, I was talking about the 2nd level router, not the modem+router. My modem+router is ISP provided also, can't be replaced same as yours. Can't trust the ISP equipment.
 
Last edited:
  • Hundred Points
Reactions: Parkinsond
Victor M said:
More coverage from original security firm: Frostarmada forest blizzard dns hijacking
Inside that article the IOC DNS entries were provided:: IOCs/FrostArmada_IOCs.txt at main · blacklotuslabs/IOCs
Click to expand...

The Microsoft article didn't say how the SOHO routers were vulnerable, but this article does:

We suspect the actor attempted to exploit CVEs associated with vulnerabilities in the web-interface on TP-Link and MikroTik routers
Click to expand...
We observed a similar pattern of activity stemming from the same cluster to networking equipment that was exposed to the internet, such as enterprise-grade firewalls like Fortinet. Analysis revealed these to be older models and thus we suspect that they were vulnerable to known CVEs. We also observed connections to smaller-brand firewall products such as Nethesis. We suspect that these devices were targeted opportunistically because they are not connected to any of the sectors listed in the Joint Cybersecurity Advisory on GRU cyber campaigns—including government, defense contractors, IT providers, political organizations, energy and logistics.
Click to expand...
 
  • Thanks
Reactions: Victor M

You may also like...