Novidade exploit kit poses a new threat for SOHO and home routers

• Novidade attacks affected millions of routers, primarily in Brazil, and to a minor extent, across the rest of the world.
• Attackers aim to steal banking information by redirecting victims to cloned bank login pages.

Routers are an essential component of the Internet infrastructure in homes and offices all across the world. Attackers often target home and office routers to steal banking information and other online credentials of Internet users.

In a new revelation by Trend Micro, a new exploit kit named Novidade has been identified in attacks targeting millions of routers, primarily in Brazil, and to a minor degree, across the rest of the world.

The goal of these attacks is to steal victims’ banking information by redirecting them to fake versions of bank login pages when they try to access their bank’s website. The attackers achieve this by configuring the Domain Name Service (DNS) settings on routers via Cross-site Request Forgery (CSRF) attacks. This allows the attackers to hijack all the traffic passing through it and allows them to redirect the victims to malicious sites.

According to Trend Micro, the attack campaign might have begun in August 2017. It is estimated that it just one Novidade campaign, which began in March 2018, may have affected 24 million routers. Since some of the campaigns did not have a specific geographical target, researchers believe that either the campaign may be growing or more threat actors may be using the exploit kit.

How did the attackers operate?

Trend Micro reported that the attackers used several techniques including malvertising, and website injections to distribute the Novidade. One of the techniques was getting the users to fill out a survey from a link sent on messaging apps. The topic of the survey was set in relation to the 2018 Brazilian presidential elections, thus making it a great lure for the recipients to click on the survey link. It also incentivized users to share the survey with 30 other people, to view the results of the survey.

Researchers found three variants of Novidade, starting from the one detected back in August 2017. All three variants were delivered in the same way but the newer versions added abilities to detect local IP addresses and a refined obfuscation technique, making the exploit kit more difficult to detect.

Some of the router models affected by Novidade were listed by Trend Micro in their report. Netlab 360 also published some of the models in their earlier blog post about GhostDNS.

These include:

• A-Link WL54AP3 / WL54AP2 (CVE-2008-6823)
• D-Link DSL-2740R
• D-Link DIR 905L
• Medialink MWN-WAPR300 (CVE-2015-5996)
• Motorola SBG6580
• Realtron
• Roteador GWR-120
• Secutech RiS-11/RiS-22/RiS-33 (CVE-2018-10080)
• TP-Link TL-WR340G / TL-WR340GD
• TP-Link WR1043ND V1 (CVE-2013-2645)

How to protect against this attack?

Routers have increasingly become a major target for cybercriminals, due to vulnerabilities in communication protocols, flaws in router software, and weak authentication. Distributed Denial of Service (DDoS), brute force and botnet attacks are among the most common attacks targeting routers.

As in the case of any router-based attack, there are a few common best security practices that all users should follow to avoid falling victim to such attacks.

• Upgrade the router’s firmware to the latest available version.
• Change the default username and password combination to a unique username and a strong password.
• Change the router’s default IP address and disable remote access features.
• Always check if a sensitive website you visit is using an HTTPS connection for better security.

Internet users need to take better precautions in securing their routers considering the increasing number of such attacks on home and office routers. A couple of such recent campaigns include the one reported by Radware in August 2018, and another attack using VPNFilter, warned against by the FBI, in May 2018.