Crooks continue to launch Coronavirus-themed attacks, in the last weeks, experts observed hackers hijacking D-Link and Linksys routers to redirect users to COVID19-themed sites spreading malware.
Hackers compromise D-Link and Linksys routers and change DNS settings to redirect users to bogus sites proposing a fake COVID-19 information app from the World Health Organization. In some cases, users were infected with the Oski information-stealing malware. The alarming trend was reported by BleepingComputer researchers and security firm Bitdefender.
“For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a ‘COVID-19 Inform App’ that was allegedly from the World Health Organization (WHO).” reported BleepingComputer.
“After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home D-Link or Linksys routers to use DNS servers operated by the attackers.”
Experts believe hackers are launching brute-force attacks against the routers, then they change the default DNS server settings to point the device to servers under their control.
Every time users attempt to visit a site that is included a list of domains targeted by the hackers, they are redirected to a site urging users to install a (COVID-19) information app.
The hacking campaigns were also detailed by researchers at Bitdefender in late March.
Bitdefender’s telemetry reported that the attacks started on March 18th, experts observed with a peak in activity on March 23rd.
Bitdefender telemetry revealed that most of the victims are in Germany, France, and the United States (over 73 percent of the total), these countries are also among those most impacted by the pandemic.
At the end of March, Linksys issued a security alert warning users of the ongoing attacks and urging them to reset the passwords.
“In analyzing our cloud traffic patterns, we believe there is a coordinated effort to maliciously access and modify Linksys Smart Wi-Fi Accounts using credentials stolen from other websites. Although we have taken additional steps in the cloud to combat these attempts, out of an abundance of caution, we would like all Linksys Smart Wi-Fi users to reset their passwords,” reads the advisory published by the vendor.
Users will be prompted to reset the passwords the next time they log in. The company also recommends users to check the router’s DNS settings and to make sure the antivirus/malware solutions are up to date and run a full scan.
“When you change your password, we will check your DNS settings, which were the target of this attack. If those settings were altered, we will fix them for you. It would also be a good idea to restart computers and mobile devices that have been connected to your network,” states Linksys.
(SecurityAffairs – Linksys, hacking)