Security researchers at Trend Micro have found another EK, named Novidade ("oddity" in Portuguese), that is focusing on SOHO switches to trade off the gadgets associated with the system gear. The Novidade misuse unit uses cross-site ask for falsification (CSRF) to change the Domain Name System (DNS) settings of SOHO switches and divert traffic from the associated gadgets to the IP address under the control of the assailants. Since its first disclosure in August 2017, specialists watched three variations of the adventure pack, incorporating one engaged with the DNSChanger arrangement of an ongoing GhostDNS crusade. Right now, Novidade is utilized in various crusades, specialists trust it has been sold to different risk on-screen characters or its source code spilled.
A large portion of the battles found by the specialists influences phishing assaults to recover managing account qualifications in Brazil. Specialists likewise watched crusades with no explicit target geolocation, a situation that proposes assailants are growing their objective regions or a bigger number of danger performing artists are utilizing the endeavor unit.
Specialists say that the point of arrival performs HTTP asks for produced by JavaScript Image capacity to a predefined rundown of neighborhood IP tends to that are utilized by switches. When setting up an association, the Novidade toolbox questions the IP deliver to download an endeavor payload encoded in base64. The adventure pack aimlessly assaults the recognized IP address with every one of its endeavors. The noxious code likewise endeavors to sign into the switch with a lot of default qualifications and afterward executes a CSRF assault to change the DNS settings. Underneath the rundown of conceivable influenced switch models dependent on Trend Micro correlations of the malignant code, arrange traffic, and distributed POC code.
For more analysis, please refer to the TrendMicro page: https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-novidade-found-targeting-home-and-soho-routers/
IOC table from Trend Micro:
Post by
A large portion of the battles found by the specialists influences phishing assaults to recover managing account qualifications in Brazil. Specialists likewise watched crusades with no explicit target geolocation, a situation that proposes assailants are growing their objective regions or a bigger number of danger performing artists are utilizing the endeavor unit.
Specialists say that the point of arrival performs HTTP asks for produced by JavaScript Image capacity to a predefined rundown of neighborhood IP tends to that are utilized by switches. When setting up an association, the Novidade toolbox questions the IP deliver to download an endeavor payload encoded in base64. The adventure pack aimlessly assaults the recognized IP address with every one of its endeavors. The noxious code likewise endeavors to sign into the switch with a lot of default qualifications and afterward executes a CSRF assault to change the DNS settings. Underneath the rundown of conceivable influenced switch models dependent on Trend Micro correlations of the malignant code, arrange traffic, and distributed POC code.
- A-Link WL54AP3 / WL54AP2 (CVE-2008-6823)
- D-Link DSL-2740R
- D-Link DIR 905L
- Medialink MWN-WAPR300 (CVE-2015-5996)
- Motorola SBG6580
- Realtron
- Roteador GWR-120
- Secutech RiS-11/RiS-22/RiS-33 (CVE-2018-10080)
- TP-Link TL-WR340G / TL-WR340GD
- TP-Link WR1043ND V1 (CVE-2013-2645)
For more analysis, please refer to the TrendMicro page: https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-novidade-found-targeting-home-and-soho-routers/
IOC table from Trend Micro:
Threat identification
|
Specifies
|
globo[.]jelastic[.]servint[.]net
|
Novidade exploit kit domain
|
landpagebrazil[.]whelastic[.[net
|
Novidade exploit kit domain
|
light[.]jelastic[.]servint[.]net
|
Novidade exploit kit domain
|
52[.]47[.]94[.]175
|
Novidade exploit kit IP address
|
pesquisaeleitoral2018[.]online
|
Social Engineering Domain
|
pesquisaparapresidente[.]online
|
Social Engineering Domain
|
108[.]174[.]198[.]177
|
Suspicious DNS server
|
144[.]217[.]24[.]233
|
Suspicious DNS server
|
172[.]245[.]14[.]114
|
Malicious DNS server
|
192[.]3[.]178[.]178
|
Malicious DNS server
|
192[.]3[.]190[.]114
|
Malicious DNS server
|
192[.]3[.]8[.]186
|
Malicious DNS server
|
198[.]23[.]140[.]10
|
Malicious DNS server
|
198[.]46[.]131[.]130
|
Malicious DNS server
|
23[.]94[.]149[.]242
|
Malicious DNS server
|
23[.]94[.]190[.]242
|
Malicious DNS server
|
23[.]95[.]82[.]42
|
Malicious DNS server
|
Post by
No comments:
Post a Comment