Over the last three months, our honeypots have detected DNS hijacking attacks targeting various types of consumer routers. All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.

First wave – December 29, 2018

⚠️ WARNING ⚠️

Unauthenticated Remote DNS Change Exploit Detected Target: D-Link routers (https://t.co/TmYBAAR1T7)

Source IP: 35.190.195.236 (AS15169) 🇺🇸

Rogue DNS server: 66.70.173.48 (AS16276) 🇨🇦 pic.twitter.com/fRnCoXQM3H — Bad Packets Report (@bad_packets) December 30, 2018

The first DNS hijacking exploit attempts targeted multiple models of D-Link DSL modems, including:

The IP address of rogue DNS server used in this attack was 66.70.173.48 and hosted by OVH Canada.

Second wave – February 6, 2019

⚠️ WARNING ⚠️

Additional exploit attempts detected from new unique hosts. All source IPs originate from AS15169 (Google LLC) and are assigned to @googlecloud customers. See here for more info on the rogue DNS server:https://t.co/wZBGApwukM pic.twitter.com/SomuHe6BSf — Bad Packets Report (@bad_packets) February 7, 2019

This wave targeted the same types of D-Link modems listed above. The rogue DNS server, 144.217.191.145, was again hosted by OVH Canada.

As Twitter user “parseword” noted, the majority of the DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082).

Third wave – March 26, 2019

⚠️ WARNING ⚠️

Multiple Remote DNS Change Exploits Detectedhttps://t.co/Ku6Wv997Yc

Target: Multiple (see attached list of routers)

Source IP: Multiple @googlecloud hosts (AS15169) 🇺🇸

Recon Scan Type: Masscan

Rogue DNS servers: 195.128.124.131 & 195.128.126.165 (AS47196) 🇷🇺 pic.twitter.com/IKXQDZBjv1 — Bad Packets Report (@bad_packets) March 30, 2019

The latest wave of attacks came from three distinct Google Cloud Platform hosts and targeted additional types of consumer routers not previously seen before including: ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.

The rogue DNS servers used in this round, 195.128.126.165 and 195.128.124.131, are both hosted in Russia by Inoventica Services. Internet access is provided by their subsidiary Garant-Park-Internet Ltd (AS47196).

In all three waves, a recon scan was done using Masscan to check for active hosts on port 81/tcp prior to attempting the DNS hijacking exploits.

How many targeted devices are vulnerable?

Establishing a definitive total of vulnerable devices would require us to employ the same tactics used by the threat actors in this campaign. Obviously this won’t be done, however we can catalog how many are exposing at least one service to the public internet via data provided by BinaryEdge:

D-Link DSL-2640B – 14,327

D-Link DSL-2740R – 379

D-Link DSL-2780B – 0

D-Link DSL-526B – 7

ARG-W4 ADSL routers – 0

DSLink 260E routers – 7

Secutech routers – 17

TOTOLINK routers – 2,265

Why are DNS hijacking attacks conducted?

As we saw in years past with DNSChanger malware raking in $14 million, advertising-related fraud is still very lucrative for cybercriminals. Other researchers have noted domain parking remains a booming business often tied to illicit activities.

DNS hijacking is also used for phishing attacks which are largely transparent to users. In this case, the domain name of the targeted site is redirected by the rogue DNS server to a web server controlled by the threat actor. A recent DNS hijacking campaign targeting Brazilian banks was documented by Radware researchers.

Why was Google Cloud Platform used?

Being a large cloud service provider, dealing with abuse is an ongoing process for Google. However unlike their competitors, Google makes it very easy for a miscreants to abuse their platform.

Anyone with a Google account can access a “Google Cloud Shell” machine by simply visiting this URL. This service provides users with the equivalent of a Linux VPS with root privileges directly in a web browser. Due to the ephemeral nature of these virtual machines coupled with Google’s slow response time to abuse reports, it’s difficult to prevent this kind of malicious behavior.

IOCs

Exploit Attempt Source IPs 35.190.238.77 35.221.201.149 35.229.230.36 35.221.98.121 35.235.106.76 35.240.128.42 35.190.195.236 Rogue DNS Servers 66.70.173.48 144.217.191.145 195.128.126.165 195.128.124.131 Exploit Attempts /action?dns_status=1&dns_poll_timeout=2&id=57&dns_server_ip_1=195&dns_server_ip_2=128&dns_server_ip_3=126&dns_server_ip_4=165&priority=1&cmdadd=add /boafrm/formbasetcpipsetup?dnsmode=dnsmanual&dns1=195.128.126.165&dns2=195.128.124.131&dns3=195.128.124.131&dnsrefresh=1 /dnscfg.cgi?dnsPrimary=195.128.126.165&dnsSecondary=195.128.124.131&dnsDynamic=0&dnsRefresh=1 /form2dns.cgi?dnsmode=1&dns1=195.128.126.165&dns2=195.128.124.131&dns3=&submit.htm?dns.htm=send&save=apply /wan_dns.asp?go=wan_dns.asp&reboottag=&dsen=1&dnsen=on&ds1=195.128.126.165&ds2=195.128.124.131 /dnscfg.cgi?dnsPrimary=144.217.191.145&dnsSecondary=144.217.191.145&dnsDynamic=0&dnsRefresh=1 /dnscfg.cgi?dnsPrimary=66.70.173.48&dnsSecondary=66.70.173.48&dnsDynamic=0&dnsRefresh=1

Closing Remarks

In general, we recommend users to keep their home router firmware up-to-date. When security vulnerabilities are discovered, they are usually patched by the manufacturer to mitigate further attacks. It’s also advisable to review your router’s DNS settings to ensure they haven’t been tampered with. Typically your DNS servers should be set to the ones provided by your ISP or well-known public DNS resolvers.

As always, follow us on Twitter for latest emerging threats and botnet trends.

Update 2019-04-05:

Ixia researchers posted their findings on the DNS hijacking attacks originating from Google Cloud Platform. They found sites targeted for phishing included Netflix, PayPal, Uber, Gmail, and more.

We’ve been tracking the DNS hijacking attacks reported by @bad_packets yesterday. Here’s an updated list of targeted domains, along with the new IP hosting the phishing sites. Paypal, Google, Netflix are targeted, along with Brazilian banks and hosting services. HT @_mihaiv_ pic.twitter.com/C4tym5dN3H — Stefan Tanase (@stefant) April 5, 2019

They’ve also identified additional rogue DNS servers, again hosted by Inoventica Services in Russia:

195.128.124.150

195.128.124.181

A Google spokesperson provided the following statement to Ars Technica in regards to the abuse of Google Cloud Platform to conduct the DNS hijacking attacks:

Update 2019-04-23:

Our honeypots have detected a fourth wave of DNS hijacking attacks, again coming from a Google Cloud Platform host.

⚠️ WARNING ⚠️

Unauthenticated Remote DNS Change (Hijack) Detected Source IP: 35.229.230.36 (@googlecloud) 🇺🇸

Exploit Target: Multiple

Ports Targeted: Multiple

Recon Scan Type: Masscan

Rogue DNS servers: 195.128.124.131 & 195.128.126.165 (AS47196) 🇷🇺 pic.twitter.com/t1AtWB4Xai — Bad Packets Report (@bad_packets) April 23, 2019

Update 2019-04-26:

Our honeypots have detected a fifth wave of DNS hijacking attacks, yet again originating from a Google Cloud Platform host.

⚠️ WARNING ⚠️

Remote DNS Change Exploit (Hijack) Detected Source IP: 35.203.116.212 (@googlecloud) 🇺🇸

Exploit target: Multiple router models

Ports targeted: 80/tcp, 82/tcp

Recon scan type: Masscan

Rogue DNS servers: 195.128.124.131 & 195.128.126.165 (AS47196) 🇷🇺 pic.twitter.com/0KS06P5Y84 — Bad Packets Report (@bad_packets) April 26, 2019

Update 2019-04-28:

Our honeypots have detected a sixth wave of DNS hijacking exploit attempts, originating from a Google Cloud Platform host.

⚠️ WARNING ⚠️

Remote DNS Change Exploit (Hijack) Detected Source IP: 35.244.0.31 (@googlecloud) 🇺🇸

Exploit target: Multiple router models

Ports targeted: 8080/tcp

Recon scan type: Masscan

Rogue DNS servers: 195.128.124.131 & 195.128.126.165 (AS47196) 🇷🇺 pic.twitter.com/atIJ1o6fbs — Bad Packets Report (@bad_packets) April 28, 2019

Update 2019-04-30:

Our honeypots have detected a seventh wave of DNS hijacking exploit attempts, originating from a Google Cloud Platform host.

⚠️ WARNING ⚠️

Remote DNS Change Exploit (Hijack) Detected Source IP: 35.227.161.36 (@googlecloud) 🇺🇸

Exploit target: Multiple router models

Port targeted: 8080/tcp

Recon scan type: Masscan

Rogue DNS servers: 195.128.124.131 & 195.128.126.165 (AS47196) 🇷🇺 pic.twitter.com/qpKIxwZhFA — Bad Packets Report (@bad_packets) April 30, 2019