Hackers Hijack Routers to Spread Malware Via Coronavirus Apps

kltaylorkltaylor Moderator, Beta Tester Posts: 1,191
1000 Comments 500 Likes 50 Answers 100 Awesomes

The router DNS hijacking attacks have targeted more than a thousand victims with the Oski info-stealing malware.

Cybercriminals are hijacking routers and changing Domain Name System (DNS) settings, in order to redirect victims to attacker controlled sites promoting fake coronavirus information apps. If victims download these apps, they are infected with information-stealing Oski malware.

This latest attack shows that hackers are becoming more creative in how they leverage the coronavirus pandemic. And it appears to be working – researchers believe that at least 1,193 victims have been targeted by this cyberattack over just the past couple of days. Reports of the hacks began on March 18, and have since skyrocketed over the past week, with victims from the U.S., Germany and France being mostly targeted.

“We estimate that the number of victims is likely to grow in the coming weeks, especially if attackers have set up other repositories, whether hosted on Bitbucket or other code repository hosting services, as the Coronavirus pandemic remains a ‘hot topic,'” said Liviu Arsene, with Bitdefender, in a post on Wednesday. “Attackers seem to have been probing the internet for vulnerable routers, managing to compromise them – potentially via bruteforcing passwords – and changing their DNS IP settings.”

To read the entire article, please click on the Source link above.

"There's a fine line between audacity and idiocy."
-Warden Anastasia Luccio, Captain


  • LisaCLisaC Member Posts: 3
    First Comment Photogenic

    Omg does it ever stop , Is it just me or is Security not keeping up with Technology .

  • kltaylorkltaylor Moderator, Beta Tester Posts: 1,191
    1000 Comments 500 Likes 50 Answers 100 Awesomes
    It does kind-of seem that way, doesn't it?
    I think what's happening is that technology and security measures are constantly evolving to combat the various means that hackers want to infiltrate with.  As soon as we (the good guys) find a way to take down one issue, they (the bad guys) figure another way to keep moving.
    Unfortunately, it's not a scenario where being proactive (outside of just being the biggest Big Brother that we could be) with it, it's a factor that we have to wait for their next move in a proverbial chess game so that we know how it works and combat it.
    Stay safe out there, both with you and your security health.
    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
  • BnelmsBnelms Member Posts: 4
    Photogenic First Comment
    edited April 4

    So what are you saying to do? Check your DNS servers? Wouldn’t Fing alert us if a new device came on our router? What are the compromised DNS server IP’s? What else could we do to protect ourselves?

  • IdrisapIdrisap Member Posts: 9
    Name Dropper First Comment Photogenic

    Interesting.Also with my particular hackers and yes ive had several at once attempt to hack my router shortly ago.

    Before i list the devices and Macs let first say that i have an Arris surfboard Wi-Fi router and wat i discovered is they are able to exploit the router and obtain the DHCP IP address and from there do there dirty work.

    So no matter wat i change the DHCP server IP address they are still able to get it within min of a drive-by hack attack

    List of devices being used are as follows,Apple phone mac address is 5c:1D:D9:29:64:9D. Apple phone B0:48:1A:31:BC:5E,wifi signal called VFM LOMPOC

    Next are as follows.Pronet device mac address is 00:20:4A:E1:86:3C and the 2nd Pronet device is 00:20:4A:C5:CB:57

    Raspberry pie and its mac address is DC:A6:32:7E:47:80. I think they are either piggybacking off an open port or forcing a port to open.

    Wat can fing box do to stop them?

  • BiventBivent Member Posts: 9
    Name Dropper First Comment
    edited April 17
    Idrisap if these are drive by hack attempts into your wifi then it sounds like you have problems with your router security.
    I am assuming that you have done the standard things on your router security
    1. Have changed the username and password to administer the router
    2. Strong WiFi passwords that has been changed after you discovered each attack, 
    3. made sure that WPS was disabled, 
    4. using WPA2 at least for encryption.
    5. Checked for software / firmwear update (Arris routers particularly some of the older models had known security flaws (search on "Arris surfboard Wi-Fi router : exploits" to see if yours is listed.
    If all above seems OK, I'd look into getting a newer/better router.

  • mmtmmitpmmtmmitp Member Posts: 5
    Name Dropper First Comment

    From the limited information I have from your post, it doesn’t sound like you’re changing your password. Are you changing your WiFi password?

    Changing the DHCP settings on their own won’t help if they know your WiFi password, because they can just enter the new password to reconnect to your network.

    A password change would be step one. If you do change your password, make sure security is set to WPA2. Also, make sure that the password isn’t something that can be easily guessed and that a brute force attack won’t be able to crack easily.

    You should also turn off WPS, especially if it uses a PIN instead of requiring you to push a button on the router. A PIN is easier to brute force than a complex password, so leave WPS off.

    Also, it’s a pain to have to do so, but you could try MAC filtering.

    Finally, an absolute last resort is to change your network name and keep your SSID hidden. It makes it more of a pain to connect your own devices, because you’ll need to enter your network name and password to access the network, but that will maybe the extra time needed to determine both the network name and the password will help to discourage people.

  • IdrisapIdrisap Member Posts: 9
    Name Dropper First Comment Photogenic

    Thank you guys for your feedback. Greatly appreciated.@Bivent & @mmtmmitp All steps on both your comments i have been taking amd countinue to practice. When connecting to the admin pahr via router it always states that its not a secure connection.I believe that this hacker and his hacker buddies would sit out and wait to i connect to the admin page and then intercept my credentials. I will start shopping for a new router and do my research on the one i choose.Any recommendations on a wifi router with excellent security features,i am open for any suggestions.

    Thank you

  • BiventBivent Member Posts: 9
    Name Dropper First Comment
    Idrisap suggest that you connect to your router as normal, make sure that your computer/laptop is wired to the router, turn OFF wifi. Now change the username and password of the router, and the password for the wifi before you turn wifi back on. Restart the router and reconnect your wireless devices. See if this slows them down.
    About a new router, I assume that you already have a modem.
    1. Your Internet speed, up and down, to make sure new router can handle it.
    2. You need to know the size of your house, consider range of router or if extenders required
    3. how many computers, printers and IoT devices (TV's, doorbells, cameras etc) are going to connect, some routers have limits on number of devices they can handle, many are limited to 32 devices. Having isolated guest access is also useful.
    4. what bands your devices are most effective at 2.4Ghz and/or 5Ghz and if you want to prepare for WiFi6. Most modern routers have reasonable to good security.
    5. Security, should have all previously listed options
    Above may help on your search for a new router.
  • IdrisapIdrisap Member Posts: 9
    Name Dropper First Comment Photogenic

    I use mac address filering also,and i only aloud 2 devices to connect to wifi.2 other devices arr wired in which are ps4s.

    I dont broadcast the wifi name and im only uding 2.4 band the other is disabled

    All attacks to my device which ive been alerted to,and running android 9.Wifi attacks is wat i get the most.

    Even at one point i had all Wi-Fi functionality disabled and only used ethernet and the hacker was still able to retrieve the DHCP ip address.

    The hack tool he is using is revealing the dhcp ip server address.

    Ive searched all throughout the router settings and cant find anything to prevent that from broadcasting in which im assuming by radio.

    Arris wifi router modem surfboard with McAfee is wat i have and beleive the router itself was manufactured a year ago or so.

  • mmtmmitpmmtmmitp Member Posts: 5
    Name Dropper First Comment

    Just to clarify - do you mean the DNS or DHCP settings?

  • mmtmmitpmmtmmitp Member Posts: 5
    Name Dropper First Comment

    Unfortunately, it’ll never stop. Security keeps up as best as it can, but it’ll never be perfect. Someone once said to me that one of the most important things to know about cybersecurity is that the only 100% safe system is the one you don’t build.

  • BiventBivent Member Posts: 9
    Name Dropper First Comment
    @Idrisp if your hacker is getting though with WiFi turned off as you say then I doubt that the router is at fault here.
    It is most likely that you have malware on either your computers or your PS4s that gives the hacker access to you and your network either through wired or wireless connection.
    Are your PS4s jailbroken? Do they have the latest firmware versions installed? Have your computers been scanned for malware (not virus scanner)?

  • mmtmmitpmmtmmitp Member Posts: 5
    Name Dropper First Comment

    @Bivent good point. I was starting to think along those lines

    @Idrisap try using something like Malwarebytes to check your computers and any Android devices you use. Unfortunately, it won’t help diagnose problems with your games consoles or non-Android devices, but it will help you get started.

  • Doc_ADoc_A Member, Beta Tester Posts: 3
    Photogenic First Comment
    I have just figured out why 3 of 5 computers, all of my Wlan devices have come and gone, my ISP what converted to a different server, and all but one of my authenticated names or accounts have been given different aliases or names.; however this information has eluded Microsoft, Google, Eset, Windows Firewire, Malwarebytes, and the list goes on. The MOS (Modus Operands) of "UNKNOWN APP" varies slightly, but generally starts with bizarre network behavior, like: wireless channels are listed as ethernet connections, but are only looped  to one channel, devices and robots began behaving erratically. and your authority authenticated aliases are different yet look the same. (Arts-doc becomes Arts) Then, most of your apps and programs are isolated but function but only under one of these false aliases. eventually, slowness is the fastest you get, your internet speed tests yield speeds slower than Elon Musks snail. Nothing is on, some things are working, laptops and desktops start going in for Maintenance and usually come back worse. Fing alerts and warnings is about the only reliable red flag.
    Since none of the reputable security support resources, had the slightest clue, I started to drill into my own software. The first thing  1) check all of your authenticated names/addresses. If you find that they are no a full URL, but the concatenated name is directed to UNKNOW AP : s-1-1-15-2-521662822-7272565-286399124-1466311468-4848594041-2922269308-3014200556
    First_name    S-1-15-2-12942464427-1181268193-4003137709-4067093754-9476835586-3719180922-327673188655.  These specific programs change in the last digits with each name or device it subsumes. You will find these types of addresses located under Local, Roaming., the false aliases  will lead you to hidden or renamed petitions on your hard drive. If you are using a Cloud backup, none that I know of have a screening firewall  so they simply act as Malware backups, endlessly refreshing components important to empowering this ever growing system. Windows Cloud is my enemies best friend. I have found, when my router is acting haywire, that it has been co-opted and is using and ISP on a server that has the same first digits 192.618.1. XXXX. I have never been able to get Who IS sucessfully identify this stealthy data miner. Another symptom shows up in sluggis response and speed tests will show that uploading is twice as fast as downloading. This outside server is actively co-opting   more and more programs and creating sections and folders that look like \\download\arts\ and your main drive will at some time appear from C: to C(C:)
    Again, I want to stress Fing was the only device or software that identified THAT SOMETHING IS WRONG. Fing also stuffed my mailboxes with these alarming Tsunami of emails, that servered only to STRESS THE USER HIGHLY, but lead me to dead ends.
    Current solution: Find folders, and sections in all of your drives, devices, security and paste them into any of your security software that quarantines any program or related and subsumed to them.  With the devices and legitimated software , open each one up and put all users under the OWNER of the address or name that is still independent and fully functioning. work back through these list of names after ownership has been reestablished and delete the Odd aliases from these lists and particularly Authenticated  authority lists. This is a lot of trouble, but do it on necessary programs.  Then I recommend that you program all of your devices, hubs and services to static lists in your router. this list has limits. and you can in addition assign static Ips to most of your bridges, hubs, WIFi channels  Finaly, any of the identities that you can block in the rules of your firewall, do so, even if you have to use wild symbols like * S-1-1-2*. *Unknown app* and so forth. 
    I love to find a much faster way to do this. 

                                                                                             1                       5
Sign In or Register to comment.