logo
logo
logo
logo
logo
logo
logo
logo
logo
logo
logo

DNS servers


Advertisements
Do you still have the original DNS servers in the router? Today, we will look at changes to the DNS settings in routers, Cerber ransomware, the order of countries according to the number of botnet clients in the Europe, Middle East and Africa, the next wave of attacks on the RDP, or the possible weakness of the Tor network. There were a lot o attacks on routers in 2016. These are some of the brands, specifically the products of Asus, Netis, TP-Link and Tenda. As with similar attacks in previous years, this time the attacker changes DNS servers, and primary to 46.17.102.10, 46.17.102.15 or 46.17.102.163, the secondary then always to 8.8.8.8. So far, we do not know the attack vector, but we think it will be a JavaScript attack placed on a web page. In addition to the fact that multip..

Sign up now


By registering I agree with your terms

198 tracked servers
285,120 pings / day
60 server outages today

Do you still have the original DNS servers in the router?

Today, we will look at changes to the DNS settings in routers, Cerber ransomware, the order of countries according to the number of botnet clients in the Europe, Middle East and Africa, the next wave of attacks on the RDP, or the possible weakness of the Tor network.

There were a lot o attacks on routers in 2016. These are some of the brands, specifically the products of Asus, Netis, TP-Link and Tenda. As with similar attacks in previous years, this time the attacker changes DNS servers, and primary to 46.17.102.10, 46.17.102.15 or 46.17.102.163, the secondary then always to 8.8.8.8. So far, we do not know the attack vector, but we think it will be a JavaScript attack placed on a web page. In addition to the fact that multiple brands are being attacked, a part of the routers were also behind NAT, so we believe that the vulnerability was not likely to be exploitable via the WAN interface, as in the case of 2014 when the attacker abused the vulnerability of rom-0 .

For example, it could be an improved version of the already-known JavaScript malware JS_JITON, which the attackers put into compromised websites and which already included 1,400 login logos this April, and was focusing on D-Link, TP- LINK and ZTE. When a user visits a compromised site, this malware attempts to change the DNS server settings in the router using saved logins.

Based on our findings, the attacker does not yet direct users to any fake versions of the site, however, it is likely to change in the future. Similar attacks are nothing new. In the past, we have been dealing with the aforementioned case, where the users connected via the infected router were redirected to the attacked copy of the Google Sites, where malicious software was being served as a pretext for downloading the FlashPlayer update. Similarly, in Poland, users were redirected to mBank's fake mockery page in one of these attacks.

Our observations

The new Cerber ransomware option terminates the running processes of commonly used databases, such as MySQL, Oracle, or Microsoft SQL. The reason is to encrypt as much data as possible, while running processes would prevent encryption of database files. In order for the ransomware to terminate running processes, it must be run with the appropriate privilege.

Symantec conducted a survey to survey the number of computers in a particular country in the region of Europe, the Middle East and Africa as a member of a botnet. The first three places were in absolute numbers Turkey, Italy and Hungary. When counting the "density" of shoes, the first three positions are held by Hungary, Monaco and Andorra. Any device that is a member of the botnet has 17,492th Internet users. For example, in Hungary already mentioned, it is every 393nd user.

The Brazilian group of attackers focused on servers that are exposed to the Remote Desktop Protocol (RDP) on the Internet. In addition to brute force attacks, they also use vulnerabilities that the administrators did not pay for some reason. After a successful attack, the system launches a ransomware system that will encrypt most files.

Tor exit node operators should avoid using public DNS resolvers, such as Google or OpenDNS. Instead, they should use their ISP resolves or their own. This results from a newly published correlation attack that uses DNS to deanonymize Tor network users. At the moment, Google reviews about 40% of all DNS queries leaving the Tor network on its DNS resolves.



From Our Blog

  1. Firefox (1 months ago)
  2. Chrome (1 months ago)
  3. DNS servers (1 months ago)
  4. How to do it: maintenance-free Ubuntu computer for unpretentious users (grandparents) (1 months ago)
  5. A safer site with a Content Security Policy header (1 months ago)
  6. Development environments - Delphi (1 months ago)
  7. Social Media Marketing: 5 Tips to Communicate with Mothers on the Network (1 months ago)
  8. How to optimize remarketing? (1 months ago)
  9. Security Intelligence: ROBOT wakes up (1 months ago)

Free variant

Free

  • Non commerce
  • 1 website
  • 10 minutes interval

Basic variant

INR 1,203 / Mo

  • Pro
  • Up to 100 websites
  • 1 minute interval

Unlimited variant

INR 5,294 / Mo

  • Pro
  • Up to 1000 websites
  • 10 seconds interval

Sign up now


By registering I agree with your terms


↑ Scroll back ↑