Although cybercriminals mainly target vulnerabilities in browsers and their plugins, routers are also an interesting target. A well known security researcher has discovered an exploit kit that is actively used to attack vulnerabilities in Asus, Belkin, Linksys, D-Link and Zyxel routers.
The concerned vulnerabilities were already disclosed and patched in 2008, 2013 and 2015. Because most routers aren’t automatically updated and many consumers don’t install updates for their router manually, there are many vulnerable routers connected to the internet. Besides attacking known vulnerabilities, the exploit kit also performs brute-force attacks on all kinds of other models including those of Asus, Microsoft and Linksys. When the attacks are successful the DNS of the router is changed allowing the attackers to rout the internet traffic of the hacked router through their own servers or redirect users to phishing sites.
Security researcher Kafeine of the blog Malware Don’t Need Coffee discovered the exploit kit. The kit only works on specific IP ranges. As soon as the attackers have hacked a router and changed the IP addresses of the DNS servers, the router is rebooted. As secondary DNS server the cybercriminals use Google’s DNS server by default which, according to the researcher, should prevent users from being suspicious in case there are issues with the IP address of the primary DNS server.