itman 1,538 Posted March 24, 2020 Share Posted March 24, 2020 (edited) Quote A new cyber attack is hijacking router's DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Vidar information-stealing malware. For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a 'COVID-19 Inform App' that was allegedly from the World Health Organization (WHO). After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home D-Link or Linksys routers to use DNS servers operated by the attackers. As most computers use the IP address and DNS information provided by their router, the malicious DNS servers were redirecting victims to malicious content under the attacker's control. Hijack Windows NCSI active probes At this time, it is not known how the attackers are gaining access to the routers to change their DNS configuration, but some users state that they had remote access to the router enabled with a weak admin password. https://www.bleepingcomputer.com/news/security/hackers-hijack-routers-dns-to-spread-malicious-covid-19-apps/ Bottom line - if you allow remote access to your router, you must secure it with a strong admin password. Edited March 24, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,538 Posted March 25, 2020 Author Share Posted March 25, 2020 Comment from the above posted link article site: Quote I had this happen to me. I'm a pretty tech savvy guy, and this totally caught me by surprise. I figured it was a DNS hijack, which I've seen many times helping other people with their computer issues. Anytime I've seen a DNS hijack, it was because someone unknowingly download malware that changed the DNS server in the network settings on the computer. So I checked my network properties and saw that my DNS was unchanged. Then the message popped up on my wife's PC. So we scanned for malware on both machines and it came back clean. Puzzled I grabbed a live linux flash drive and booted it up. Soon as I did, I saw the message about needing to sign in to connect to the internet, and immediately the COVID-19 APP window popped. That's when I knew it wasn't malware on my PCs, but something affecting my entire network. So I started searching around the internet and found this article. Logged into my router, and sure enough, the very IPs listed here were in my router. Fortunately I was never foolish enough to click the "download" button on the popup window. My router is an older Linksys. Maybe since it's older and hasn't had a firmware update in a few years there is an unaddressed vulnerability? I'm VERY tempted to just go out and buy a new router... Time you ensure your router's firmware is updated to the lastest version if its a D-Link or Linksys router. Link to comment Share on other sites More sharing options...
itman 1,538 Posted March 30, 2020 Author Share Posted March 30, 2020 https://www.us-cert.gov/ncas/bulletins/sb20-090 Link to comment Share on other sites More sharing options...
Recommended Posts