Researchers at Bad Packets revealed a continuing wave of automated attacks from December aimed at changing DNS settings on home and office routers. In case of a successful attack on the device, DNS servers of attackers are registered, which return fake IP addresses for some domains, which leads to redirection to scam sites created for phishing and capturing authentication parameters.
The attack is aimed at hitting routers running non-updated firmware containing known vulnerabilities. For example, to attack D-Link devices, a vulnerability identified as early as 2015 is used, allowing you to change the DNS settings without passing authentication. To scan the network, hacked Google Cloud environments are used.
During the attack, D-Link routers (DSL-2640B, DSL-2740R, DSL-2780B and DSL-526B), ARG-W4 ADSL, DSLink (260E), Secutech and TOTOLINK are affected. The largest number of compromised systems falls on the D-Link DSL-2640B (14327 vulnerable devices) and TOTOLINK (2265 vulnerable devices) devices. After a successful attack on the device, one of the DNS servers controlled by the attackers is registered: 220.127.116.11, 18.104.22.168, 22.214.171.124 and 126.96.36.199.