New Exploit Kit Novidade Targets Home and SOHO Routers

Routers belonging to millions of users in Brazil, and in some other parts of the world too, have been targeted by multiple cyberattack groups using a dangerous new exploit kit named Novidade.

This new exploit kit has been identified and analyzed by Trend Micro security researchers, who say that Novidade works by changing DNS settings of home and SOHO (Small Office and Home Office) routers via cross-site request forgery.

A Trend Micro blog post dated December 11, 2018 reads, “We identified a new exploit kit we named Novidade that targets home or small office routers by changing their Domain Name System (DNS) settings via cross-site request forgery (CSRF), enabling attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with.”

The blog post explains that once the hackers change the DNS setting to that of a malicious server, a pharming attack can be executed. Thus, all traffic coming to the targeted website can be redirected, from all devices that are connected to the same router to the IP address of the attackers’ server.

Trend Micro researchers have been tracking the threat for some time. They believe that Novidade is not limited to a single campaign or one particular group of hackers. They have also inferred that the attackers are expanding their target areas.

The Trend Micro blog post, authored by Joseph C Chen, explains, “The earliest Novidade sample we found was from August 2017, and two different variants were identified since. While one of the variants was involved in the DNSChanger system of a recent GhostDNS campaign, we believe that Novidade is not limited to a single campaign, as the exploit kit was also concurrently being used in different campaigns.”
He further says, “One possibility is that the exploit kit tool was either sold to multiple groups or the source code was leaked, allowing threat actors to use the kit or create their own variations. Most of the campaigns we discovered used phishing attacks to retrieve banking credentials in Brazil. However, we also recently found campaigns with no specific target geolocation, suggesting that either the attackers are expanding their target areas, or a larger number of threat actors are using it.”

Those involved in the Novidade campaigns spread the exploit kit using different delivery methods. While some go for compromised website injection method some others do it via instant messengers or using malvertising.

The Trend Micro blog post explains how things work after a victim clicks the link to Novidade- “Once the victim receives and clicks the link to Novidade, the landing page will initially perform several HTTP requests generated by JavaScript Image function to a predefined list of local IP address that are mostly used by routers. If a connection is successfully established, Novidade will query the detected IP address to download a corresponding exploit payload, which is encoded Base64. Novidade will then blindly attack the detected IP address with all its exploits. This is followed by an attempt to try and log into the router with a set of default account names and passwords, after which a CSRF attack will be executed in order to change the original DNS server to the attacker’s DNS server.”

Once the DNS settings are changed and the router compromised, all the different devices that are connected to the router become vulnerable to pharming attacks.

The exploit kit was named Novidade due to the title string “Novidade!” on the web-pages of all the current variants; ‘Novidade’ in Portuguese means ‘novelty’.

Multiple router models, including D-Link’s DSL-2740R and DIR 905L, Mediabridge’s Medialink MWN-WAPR300, Motorola’s SBG6580, and TP-Link’s TL-WR340G and WR1043ND have been compromised using Novidade.

Well, the Novidade campaign is definitely not the first attack in which attackers target SOHO routers and try changing the DNS settings to steal user credentials or to perform malicious activities. There were reports, in August, of DNS hijacking attempts targeting D-Link DSL modems in Brazil. The campaign expanded by October and covered almost six dozen router models not just in Brazil, but in other places as well. Reports have already come about router hijacking exploit kits like DNSChanger and VPNFilter.

These attacks prove that hackers today are increasingly targeting home and SOHO routers in a bid to steal banking credentials and other online credentials of internet users. Experts say that users should gear up to protect themselves against such attacks by ensuring that their routers have the latest firmware version and also that they are properly patched. They should also change default usernames and passwords, the router’s default IP address etc and should also disable remote access features.