Kaspersky researcher Fabio Assolini reports that a vulnerability in Brazilian Internet users’ DSL modems was recently exploited as part of a “sustained and silent mass attack.”
“Assolini described how at some Brazilian ISPs, more than 50 percent of users were reported to have been affected by the attack,” Infosecurity reports. “After the six manufacturers affected issued firmware updates to plug the security hole, the number of compromised modems decreased. However, some 300,000 modems are still thought to be controlled by attackers.”
“The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log in to and control the devices,” writes Ars Technica’s Dan Goodin. “The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to booby-trapped imposter sites.”
“Cleverly, the attackers left the secondary ISP-defined DNS server untouched, which allowed them to launch attacks using the rogue primary DNS for a only short periods in a day as a way of avoiding drawing attention to what was going on,” writes Techworld’s John E. Dunn. “The result? The attackers were able to install malware, intercept online bank logins, or simply redirect users to bogus Facebook, Google and Orkut phishing pages. A single log on one of the malicious DNS server examined after the attack was rumbled showed 14,000 victims.”
“The country’s cyber emergency and response team (CERT) estimated that roughly 4.5 million modems had been compromised as of March this year,” writes iTnews’ Juha Saarinen.