Serviceteam IT Security News

Hackers have been breaking into home routers to change DNS server settings and hijack the traffic to redirect it to malicious sites, according to Troy Mursch, security researcher for Bad Packets.

Researchers have detected different types of attacks that are targeting consumer routers, all of which were reportedly traced back to hosts on the Google Cloud Platform (AS15169) network. Mursch detailed three different waves of findings, which started in December 2018. In the most recent wave, discovered on March 26, “attacks came from three distinct Google Cloud Platform hosts and targeted additional types of consumer routers not previously seen before.”

According to Mursch, determining the scope and scale of these attacks is virtually impossible unless researchers use the tactics employed by the malicious actors.

“We have suspended the fraudulent accounts in question and are working through established protocols to identify any new ones that emerge. We have processes in place to detect and remove accounts that violate our terms of service and acceptable use policy, and we take action on accounts when we detect abuse, including suspending the accounts in question. These incidents highlight the importance of practicing good security hygiene, including patching router firmware once a fix becomes available,” wrote a Google Cloud spokesperson.

“Home router vulnerabilities are a great nuisance for organizations, and in light of the latest news about hackers leveraging D-Link routers to hijack DNS traffic, organizations should put their guard up,” said Justin Jett, director of audit and compliance for Plixer.

“While home routers don’t directly connect with the corporate network, they are used by individuals at home and in many cases connect business assets like mobile phones and computers to the internet when employees are not on campus.”

Considering the growing number of remote workers, it’s not terribly difficult for malicious actors to go around the corporate defenses via employees’ home networks, which are often much less secure or have fewer safeguards in place. “By changing the DNS server settings at the home router, users may unknowingly connect to sites that will download malware onto their system,” Jett said.

“When the users return to the corporate network, or connect to the VPN, the malware can begin looking for ways to further exploit the organization. Network and security professionals should leverage network traffic analytics to understand normal user behavior. By doing so, when a user returns to the corporate network and starts to display unusual traffic behavior, the network and security teams can quickly identify that there is a problem and remediate.”

***Update*** April 5, 2019. This article was updated to include comment from Google Cloud. 

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!