Ongoing Hijack DNS Attack to be Found

Attackers use old vulnerabilities and they are targeted at unupdated consumer devices
05 April 2019   388

Researchers at Bad Packets revealed a continuing wave of automated attacks from December aimed at changing DNS settings on home and office routers. In case of a successful attack on the device, DNS servers of attackers are registered, which return fake IP addresses for some domains, which leads to redirection to scam sites created for phishing and capturing authentication parameters.

The attack is aimed at hitting routers running non-updated firmware containing known vulnerabilities. For example, to attack D-Link devices, a vulnerability identified as early as 2015 is used, allowing you to change the DNS settings without passing authentication. To scan the network, hacked Google Cloud environments are used.

During the attack, D-Link routers (DSL-2640B, DSL-2740R, DSL-2780B and DSL-526B), ARG-W4 ADSL, DSLink (260E), Secutech and TOTOLINK are affected. The largest number of compromised systems falls on the D-Link DSL-2640B (14327 vulnerable devices) and TOTOLINK (2265 vulnerable devices) devices. After a successful attack on the device, one of the DNS servers controlled by the attackers is registered: 144.217.191.145, 66.70.173.48, 195.128.124.131 and 195.128.126.165.

Matrix & Riot Hosts Shut Down Due to Hack

Matrix team says that the hacking was done through a vulnerability in an un-upgraded Jenkins continuous integration system
12 April 2019   485

The developers of the platform for decentralized messaging Matrix have announced an emergency shutdown of the servers Matrix.org and Riot.im (the main client of the Matrix) in connection with the hacking of the project infrastructure. The first shutdown took place last night, after which the servers were restored, and the applications were reassembled from the reference source. But a few minutes ago the servers were compromised a second time.

The attackers placed on the main page of the project detailed information about the server configuration and the data on whether they have a database with hashes of almost five and a half million Matrix users. As evidence, hash password of project leader is in open access. The modified site code is placed in the repository of attackers on GitHub (not in the official matrix repository). Details about the second hack are not yet available.

After the first hacking, the Matrix team published a report stating that the hacking was done through a vulnerability in an un-upgraded Jenkins continuous integration system. After gaining access to the server with Jenkins, the attackers intercepted the SSH keys and were able to access other infrastructure servers. It was stated that the source code and packages were not affected by the attack. The attack also did not affect Modular.im servers. But the attackers gained access to the main DBMS, which also contains unencrypted messages, access tokens and password hashes.

All users were adviced to change passwords. But in the process of changing passwords in the main Riot client, users are faced with the loss of files with backup copies of keys for restore encrypted correspondence and the inability to access message history.