Hackers use Google Cloud to attack home routers

Walden Systems Geeks Corner Hackers use Google Cloud to attack home routers news Rutherford NJ New Jersey NYC New York North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

Hackers have been using Google’s cloud computing service to redirect and intercept web and mail traffic on vulnerable consumer routers. A researcher said that he has seen the Google Cloud Platform being used to carry out three separate waves of DNS hijacking attacks over the past three months targeting D-Link, ARGtek, DSLink, Secutech, and TOTOLINK routers. DNS hijacking is an attack that causes router traffic to be redirected and sent to malicious websites. All exploit attempts have originated from hosts on the network of Google Cloud Platform. In this campaign, researchers identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.

The first wave came on Dec. 29 and targeted D-Link DSL-2640B, D-Link DSL-2740R, D-Link DSL-2780B and D-Link DSL-526B, redirecting their traffic to a fake DNS server in Canada. The second wave of attacks, came on Feb 6, also targeted the same types of D-Link modems and was also redirecting traffic to a DNS server in Canada. The third wave, on Mar 26, targeted ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers. These waves redirected traffic to two DNS servers, both hosted in Russia.


Once hackers launch a successful DNS hijacking attack, they can use rogue DNS server to redirect any and all network traffic of the target device that uses DNS services to resolve a domain to an IP address. This is applicable to web traffic as users typically never type an IP address directly in their web browser. Because of this, users can be redirected to phishing sites or have advertisements injected on pages. This is done by hijacking the domain of well-known advertising platforms to insert ads that make money for the hackers.

In past years, the DNSChanger malware has been prolific, raking in $14 million in advertising-related fraud for the hackers behind it. Most of the vulnerabilities used to exploit vulnerable D-Link routers are already well known, including several remote DNS Change exploits. The various waves of attacks have all used Google Cloud Platform hosts. It is highly unlikely that Google Cloud Platform was randomly abused multiple times for conducting DNS hijacking attacks. The only DNS hijacking exploit attempts detected in the last three months were from GCP hosts.

Hackers first used Google's cloud service capabilities to scan for vulnerable routers that could be exploited. They then used Google's platform to remotely configure the routers to their own DNS servers, using malicious code. According to Troy Mursch with Bad Packets Report, anyone with a Google account could access a Google Cloud Shell machine easily. Google Cloud Shell machine is a service that provides users with the equivalent to a Linux Virtual Private Server, giving them root privileges directly in a web browser.

Google is slow to respond to reports of abuse, being a large cloud service provider, dealing with abuse is an ongoing process for Google. A Google spokesperson said that Google has suspended the fraudulent accounts in question and are working through established protocols to identify any new ones that emerge. "We have processes in place to detect and remove accounts that violate our terms of service and acceptable use policy, and we take action on accounts when we detect abuse, including suspending the accounts in question,” said the Google spokesperson. “These incidents highlight the importance of practicing good security hygiene, including patching router firmware once a fix becomes available.”

DNS hijacking attacks redirect queries to a domain name server via overriding a computer's TCP/IP settings. These types of attacks could help hackers carry out advertising related fraud or phishing attacks. The attacks could have a more destructive purposes as well. In January, attacks aimed at multiple government domains triggered the Department of Homeland Security to issue an emergency directive ordering all federal agencies to urgently audit Domain Name System security for their domains. Consumers keep their home router firmware up to date to prevent exploits. When security vulnerabilities are discovered, they are usually patched by the manufacturer to mitigate further attacks. You should also review your routers DNS settings to ensure they haven’t been tampered with.