Home router vulnerabilities exploited for banking credentials
In early August, personal and sensitive information was obtained from customers of Brazil’s largest bank after their home routers were ‘hijacked’.
Victims were unlikely to have been aware of any change resulting from the attack. They selected what appeared to be the correct web page, and were redirected to a convincing fake banking page.
This technique is not new, but remains relatively unusual – and could be replicated elsewhere. It sees router vulnerabilities exploited to gain access to the victim’s router and its DNS configuration changed, allowing the attacker to redirect DNS requests to a malicious server.
Victims may not even receive a warning that they are connecting to an insecure site if the actors use ‘SSL stripping’ or other techniques to overcome SSL/TLS certificate validation issues.
Home routers can sometimes be seen as ‘soft targets’, with their security being given a relatively low priority. Installing the latest router updates is recommended, as is using ad blockers to mitigate malvertising.
The NCSC advise home users to deploy patches on their wireless network infrastructure such as wireless routers and wireless access points, as this will protect traffic from all devices while they are connected to that network. Wireless routers issued by major ISPs may automatically update once a patch becomes available. However, many Wi-Fi network devices (including some of those used by enterprises and small business) will require a manual update.
As discussed in the NCSC password guidance, we also recommend changing default passwords on devices such as routers and wireless access points. Malware that can log in to a router using its default credentials has potential to perform a similar style of attack against a fully patched device.
The NCSC has also published some guidance around Internet Edge Device Security although this is aimed at organisations, rather than individuals.
Marap and Hermes malware delivered by phishing emails
Two high-profile phishing campaigns have been recently reported in open sources.
Marap, distributed by the Necurs1 botnet, is a new piece of malware, with modular functions allowing it to download further capabilities after infecting a victim. The phishing emails used to infect users have featured malicious attachments like Word documents or PDF files. To date, Marap has mostly targeted financial institutions.
A second malware campaign underway targets victims with the Hermes 2.1 ransomware, an evolution of the same ransomware used during the 2017 attempted theft of $60 million from a Taiwan-based bank.
First, the victim receives an email titled “Invoice Due”. It claims an outstanding invoice – attached as a Word document – is due and urges the victim to complete the transaction quickly. The document is protected by a password, contained within the email, giving the campaign added credibility.
When opened, the Word document prompts the victim to enable macros. If enabled, the AZORult trojan will be executed, downloading Hermes 2.1 ransomware and encrypting all files on the system. As with many other ransomware variants, a ransom note will then prompt the victim to pay, via cryptocurrencies, to have their files decrypted.
Newer and patched versions of the applications Marap is currently targeting may be able to better defend against the original attack using malicious documents. The NCSC recommends disabling Office macros as discussed in published guidance here. There is also guidance available that can help users detect and avoid common phishing attacks as well as protecting your organisation against ransomware.
Fraud, cyber crime and phishing attempts should be reported online to Action Fraud or by calling 0300 123 2040. If you are in Scotland contact Police Scotland on 101.