Did I just get DNS Hijacked?

Yes, your router's primary DNS entry was pointed to a rogue DNS server to make devices in your network resolve apple.com and other domains to phishing sites instead. The router possibly got compromised through an unpatched vulnerability in its firmware.

I have an Asus AC87U, FW Version 3.0.0.4.380.7743 (1 release behind).

Your release is over half a year old. The latest release 3.0.0.4.382.50010 (2018-01-25) comes with lots of security fixes, including RCE vulnerabilities which may have been exploited here.

Security fixed

  • Fixed KRACK vulnerability
  • Fixed CVE-2017-14491: DNS - 2 byte heap based overflow
  • Fixed CVE-2017-14492: DHCP - heap based overflow
  • Fixed CVE-2017-14493: DHCP - stack based overflow
  • Fixed CVE-2017-14494: DHCP - info leak
  • Fixed CVE-2017-14495: DNS - OOM DoS
  • Fixed CVE-2017-14496: DNS - DoS Integer underflow -Fixed CVE-2017-13704 : Bug collision
  • Fixed predictable session tokens(CVE-2017-15654), logged user IP validation(CVE-2017-15653), Logged-in information disclosure (special thanks for Blazej Adamczyk contribution)
  • Fixed web GUI authorization vulnerabilities.
  • Fixed AiCloud XSS vulnerabilities
  • Fixed XSS vulnerability. Thanks for Joaquim's contribution.
  • Fixed LAN RCE vulnerability. An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
  • Fixed remote code execution vulnerability. Thanks to David Maciejak of Fortinet's FortiGuard Labs
  • Fixed Smart Sync Stored XSS vulnerabilities. Thanks fo Guy Arazi's contribution. -Fixed CVE-2018-5721 Stack-based buffer overflow.

(Source)

Although Asus doesn't publish bug details, attackers may have independently discovered some of the vulnerabilities patched in that release. Diffing firmware releases to reverse-engineer what parts were patched is usually quite straightforward, even without access to the original source. (This is routinely done with Microsoft security updates.) Such "1-day exploits" are comparatively cheap to develop.

Also, this looks like it's part of a more wide-spread recent attack. This tweet from three days ago seems to describe an incident very similar to what you experienced:

My ASUS home router was apparently hacked and a rogue DNS server in Dubai added to the configuration. It redirected sites like http://apple.com to a phishing site that (I think) I caught before my children gave away their credentials. Check your routers kids.

(@harlanbarnes on Twitter, 2018-03-09)

[...] my browser warned me (Google Chrome) saying this website was not secure. [...] I began to suspect maybe my Mac machine had been infected [...]

The fact that you got certificate warnings makes it less likely that an attacker managed to get into your machine. Otherwise, they could have messed with your local certificate store or browser internals and wouldn't need to conduct a blatant DNS change.

No one has access to my router administration page aside from me on the network

Even if your router interface isn't visible from outside your network, it can be vulnerable to a range of attacks. As an example, take this Netgear router arbitrary code execution exploit from a while ago which had Netgear routers execute arbitrary commands sent as part of the URL.

The idea here is to trick you into visiting a prepared website that makes you conduct the attack yourself by issuing a specially crafted cross-origin request to the router interface. This could happen without you noticing and wouldn't require the interface to be remote accessible.

Ultimately, the given information doesn't reveal the exact attack path. But it's plausible that they leveraged vulnerabilities in your outdated firmware release. As an end user you should at least update your firmware as soon as possible, do factory resets if necessary, and keep your router interface password-protected even if it's only accessible from the intranet.


It's obvious that someone changed DNS entries inside your router, probably using default credentials. You should go with factory reset, update your firmware, change default credentials and disable outside access to it.

And yes that DNS 185.183.96.174 is coming from hackers, still alive...

dig apple.com @185.183.96.174

This will return:

apple.com.      604800  IN  A   185.82.200.152

And all fake sites sits there hxxp://185.82.200.152/


One thing I would HIGHLY suggest in this case is trying to flash your router with something like DD-WRT (open source firmware). The DD-WRT forums list a beta build for your router. These builds are often far less susceptible to outside invasion like this, because they're built with best practices. Contrast with this long list of vulnerable ASUS routers (which list the problem you described).

40 models of the Asus RT line of home routers are affected by five vulnerabilities that allow an attacker to get ahold of the router password, change router settings without authentication, execute code, and exfiltrate router data.

On the upside, at least they were only after Apple credentials instead of eating up all your bandwidth

Another suggestion is to buy a router that can better patch itself. I bought an Amplifi a while back, and its touch screen notifies me when I have a firmware update (two taps and I'm patched).

Tags:

Dns

Router

Recent Posts