An ongoing cyber-attack has affected millions of Internet users’ computers in Brazil by exploiting vulnerabilities in their DSL modems, a security researcher said.
Kaspersky Lab researcher Fabio Assolini detailed the attack last week at the Virus Bulletin conference which was held Sept. 26 to 28 in Dallas. According to Assolini, attacks have been underway since at least 2011 and have flown largely under the radar even as countless users have been redirected to malicious Websites.
“All too often network equipment devices are forgotten—once installed and configured, most users or businesses do not worry about applying firmware updates provided by manufacturers,” he blogged. “Even the simplest failure can affect thousands of users, who are silently attacked and prompted to inadvertently install malware or steered into phishing domains.”
“Without much fanfare, a vulnerability showing a flaw in a specific modem was revealed in March 2011,” he continued. “That failure allowed remote access to a DSL modem model. No one knows exactly when criminals began exploiting it remotely. The flaw allows a Cross Site Request Forgery (CSRF) to be performed in the administration panel of the DSL modem, capturing the password set on the device and allowing the attacker to make changes, usually in the DNS servers.”
The problem is not related to a particular model or manufacturer, but is instead tied to the chipset driver that performs the main functions of the equipment and is bought by modem manufacturers who use it in consumer products, he explained. Kaspersky Lab would not publish the names of the vendors and models affected, but told eWEEK that the affected vendors are all aware of the problem.
“All the affected devices have in common a Broadcom chipset, used by several manufacturers, including modems approved by the National Telecommunications Agency of the Brazilian government and sold in Brazil,” he blogged. “Interestingly not all devices using Broadcom chips have this problem, but there is no precise data about which versions and equipment are affected.”
Cyber-criminals used to bash scripts executed in a dedicated server to search the Web for exposed modems. Whenever the attackers found a vulnerable modem, they attempted to exploit the flaw. To help with the attack, the cyber-criminals set up 40 malicious DNS servers on different hosting services. There were recorded attacks on DSL modems from six manufacturers, five of which are widely marketed in Brazil, he explained. He noted that in March CERT Brazil said the attacks had compromised about 4.5 million modems. Some 300,000 of those modems were still compromised as of March.
“The first thing users may have noticed is that they would visit legitimate Websites such as Google, Facebook and Orkut (a Google social network which is particularly popular in Brazil) and would be prompted to install software,” blogged Graham Cluley, senior technology consultant with Sophos.
“The end result is that many Brazilian users downloaded code, mistakenly believing they were from websites they trusted, including: br.msn.com/ChromeSetup.exe; facebook.com.br/ChromeSetup.exe; facebook.com/ChromeSetup.exe; facebook.com.br/Activex_Components.exe; and many more,” he continued.
“In some cases, the attackers didn’t even have to use such social engineering to trick users into installing the software,” Cluley added. The attackers simply exploited Java vulnerabilities to plant malicious code that was stealthily downloaded onto unwitting victims’ computers from what should have been the trustworthy Websites they normally visited, Cluley added.
According to Assolini, there is not much users can do to avoid this kind of attack beyond using strong passwords, checking their security settings and updating their firmware when patches are available.
“The rest,” he wrote, “is squarely in the hands of the vendors—the only people who can change the devices’ designs.”