This is followed by an attempt to try and log into the router with a set of default account names and passwords, after which a CSRF attack will be executed in order to change the original DNS server to the attacker’s DNS server.”
Novidade will then blindly attack the detected IP address with all its exploits.
#MEDIALINK MWN WAPR300N FIRMWARE DOWNLOAD#
If a connection is successfully established, Novidade will query the detected IP address to download a corresponding exploit payload, which is encoded Base64. The Trend Micro blog post explains how things work after a victim clicks the link to Novidade- “Once the victim receives and clicks the link to Novidade, the landing page will initially perform several HTTP requests generated by JavaScript Image function to a predefined list of local IP address that are mostly used by routers.
While some go for compromised website injection method some others do it via instant messengers or using malvertising. Those involved in the Novidade campaigns spread the exploit kit using different delivery methods. However, we also recently found campaigns with no specific target geolocation, suggesting that either the attackers are expanding their target areas, or a larger number of threat actors are using it.” Most of the campaigns we discovered used phishing attacks to retrieve banking credentials in Brazil.
#MEDIALINK MWN WAPR300N FIRMWARE CODE#
He further says, “One possibility is that the exploit kit tool was either sold to multiple groups or the source code was leaked, allowing threat actors to use the kit or create their own variations.
While one of the variants was involved in the DNSChanger system of a recent GhostDNS campaign, we believe that Novidade is not limited to a single campaign, as the exploit kit was also concurrently being used in different campaigns.” The Trend Micro blog post, authored by Joseph C Chen, explains, “The earliest Novidade sample we found was from August 2017, and two different variants were identified since. They have also inferred that the attackers are expanding their target areas. They believe that Novidade is not limited to a single campaign or one particular group of hackers. Trend Micro researchers have been tracking the threat for some time. Thus, all traffic coming to the targeted website can be redirected, from all devices that are connected to the same router to the IP address of the attackers’ server. The blog post explains that once the hackers change the DNS setting to that of a malicious server, a pharming attack can be executed. This new exploit kit has been identified and analyzed by Trend Micro security researchers, who say that Novidade works by changing DNS settings of home and SOHO (Small Office and Home Office) routers via cross-site request forgery.Ī Trend Micro blog post dated Decemreads, “We identified a new exploit kit we named Novidade that targets home or small office routers by changing their Domain Name System (DNS) settings via cross-site request forgery (CSRF), enabling attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with.” Routers belonging to millions of users in Brazil, and in some other parts of the world too, have been targeted by multiple cyberattack groups using a dangerous new exploit kit named Novidade.
0 kommentar(er)
