Recent research has uncovered a global campaign involving the hijacking of DNS settings in outdated home routers, which redirected web traffic through servers operated by Aeza International, a Russian bulletproof hosting provider sanctioned by the United States.
Infoblox released findings on February 3 that reveal how home internet users in over 35 countries experienced traffic redirection due to attackers exploiting vulnerabilities in aging consumer routers. These routers, which are still in use but no longer supported with security updates, allowed attackers to manipulate DNS settings, effectively guiding users to potentially harmful websites while their browsing experience seemed normal.
The assailants specifically targeted older routers that remain prevalent in many home networks. Once access was achieved, they altered the DNS configurations, controlling where web traffic was channeled. This type of attack poses a risk to all devices connected to the compromised router, including smartphones, laptops, and smart home devices, often without the users’ awareness.
According to Infoblox, the tampered DNS traffic was rerouted to resolvers managed by Aeza International. Following this rerouting, the traffic was integrated into an HTTP-based Traffic Distribution System. Infoblox’s researchers noted that users were first verified as originating from a compromised router before their traffic was further directed.
In their report, Infoblox stated that approved traffic was then passed through various advertising and affiliate networks, frequently leading users to misleading or malicious websites. This method not only compromises user privacy but also potentially generates revenue for the attackers.
Renée Burton, vice president of Infoblox Threat Intelligence, emphasized that this campaign illustrates the often-overlooked security risks associated with DNS. By gaining control over DNS settings at the router level, attackers can monitor and influence every connection that transpires behind the compromised device. This not only jeopardizes user safety but transforms regular web activity into lucrative opportunities for cybercriminals.
The principal countermeasure for home users is to replace old routers with newer models that receive regular security updates. Unfortunately, the findings also indicate that consumer networking devices have become a frequent target for attackers, especially when they continue operation without crucial security patches long after manufacturer support ends.
This incident poses significant implications for businesses, particularly those relying on outdated infrastructure. Understanding the tactics used in such a cyber campaign is vital for mitigating risk. The attack exemplifies MITRE ATT&CK techniques including initial access through exploitation of vulnerable components and DNS manipulation for redirection, highlighting the urgent need for robust cybersecurity practices in all organizations.