Hacker Infected Over 100,000 Home Routers In Brazil: Why Targeting Brazilian?

According to report, Brazilian users have been experiencing new types of router attack that has not been seen anywhere else in the world. Worst thing about this router attack is that is able to lead direct financial losses for hacked users. Since, the incident was started in last summer and were the first observed by Cyber security firm Radware, and month later security researches from Netlab. Both the security based companies were explained how the hacker group had infected over 100,000 home routers in Brazil and were altering their DNS settings as well. Let’s take have a look at story in detail.

Radware and Netlab Researchers explained, hacker infected over 100,000 home routers in Brazil

At the time when Radware and Netlab both the security company explained about the incident, the modification were made to these routers which redirected infected users to malicious websites whenever they tried to visit e-banking sites for certain Brazilian banks.

Moreover, similar types of router attack were seen few months later by threat Intel firm Bad Packets who explained another wave of attacks. But at this time primarily against D-Link routers which were also hosted on Brazilian ISPs. At the same time, hacker was also redirecting the targeted users to phishing websites to collect their credentials.

Report says, Avast Security Company have published a report this week and explained that there attacks haven’t stopped. According to them, in first half of 2019, hacker have infected and modified the DNS stings of over 180,000 Brazilian routers. Interestingly, there are number of security researcher teams who are working to resolve this issue as soon as possible.

More about Brazilian Router Attack: How hack takes place?

According to Avast security researches David Jusa and Alexej Savcin, most of Brazilian users are having their home routers hacked in case of vesting sport, movies and adults related websites. Hacker traces their online activities and spreads malicious ads on the site that they want to visit.

On these websites, misleading ads run special codes inside users’ browsers to search and detect the IP address of home router, the router’s model and details about device model as well. Once router’s IP and model detected by bad actor, the malicious ads use the list of default usernames and passwords to log into users’ devices without their permission. If the router attack are successful, additional malicious code inject via malicious ads which will modality the default DNS settings on users’ routers and replace the DNS server IP address with the IP address managed by hackers.

Cyber criminal uses SonarDNS, GhostDNS and Navidada Hacking Tool for this purpose

On further investigation of Avast researchers, they have found that hackers have been using two special kits like GhostDNS and SonarDNS hacking tool for these attacks. When we talk about GhostDNS, it is one that has been first spotted since last summer. Navidada is variant of GhostDNS which has infected Avast users’ router over 2.6 million times in February. Since, it was spread via malware campaign.

“is very popular in the Brazilian underground hacking scene and some of its variants belong to the most active exploit kits targeting Brazilian routers in 2019. The GhostDNS variant Novidade attempted to infect Avast users’ routers over 2.6 million times in February alone and was spread via three campaigns. According to Netlab360, GhostDNS consists of a complex system with a phishing web system, web admin system, and rogue DNS system.”

Second one is SonarDNS a new botnet that hacker appears to have re-purposed a penetration testing framework named Sonar.js as backbone for their infrastructure. According to Avast researchers, Sonar.js is perfect for router attacks. This malicious JavaScript file used by attacker for identifying and releasing exploits against internal network hosts and target the device with just a few line of code.

However, it is still unknown that why the attacker have not spread yet to targeting the routers outside the Brazil. Security researchers are advising the users to safe your credentials from bad actor and never shared the personal details on anyone. Anyway, we are researching on the matter very deeply and we will defiantly post an update, if it will come in future. For any suggestions or queries, please write on comment box given below.

You may also read: Security Flaws in EA Games Allows the Hacker to Steal Sensitive Data of Users