New Exploit Kit Targeting Home and Office Routers
Cybersecurity firm Trend Micro has identified a new exploit kit, dubbed Novidade, being delivered through multiple campaigns, with the earliest samples dating back to August 2017. A September campaign delivered the exploit kit over 24 million times to Brazilian residents via an instant message link, and a campaign in late October utilized an iframe on compromised websites to distribute the malware globally. Novidade targets home and small office routers, poisoning their Domain Name System (DNS) settings to resolve legitimate domain requests to phishing IPs hosted by the threat actor, also known as a pharming attack. The infection chain begins once a user accesses a compromised site and the page makes several HTTP requests to a list of local IPs used by routers. If a connection is established, the router is queried to download a base64-encoded exploit payload, which attacks the router with all Novidade’s exploits. Novidade then attempts to log in to the router with default credentials, and executes a cross-site request forgery (CSRF) attack to change the DNS server to the attacker’s malicious DNS server. At this point, all devices connected to the router are vulnerable. To protect yourself against Novidade, the NJCCIC recommends keeping device firmware up-to-date, changing your router’s default IP address and credentials, disabling remote access features, and only trusting HTTPS connections with sensitive data. For detailed information about Novidade, review the Trend Micro blog post, the NJCCIC Novidade threat profile, and for exploit kit mitigation techniques, review the NJCCIC Exploit Kit threat profile page.