Hacker Demonstrates How Easy In-flight Entertainment System Can Be Hacked

Next time when you hear an announcement in the flight, “Ladies and gentlemen, this is your captain speaking…," the chances are that the announcement is coming from a hacker controlling your flight.
Dangerous vulnerabilities in an in-flight entertainment system used by the leading airlines, including Emirates, United, American Airlines, Virgin, and Qatar, could let hackers hijack several flight systems and even take control of the plane.
According to security researchers from IOActive, the security vulnerabilities resides in the Panasonic Avionics In-Flight Entertainment (IFE) system used in planes run by 13 major airlines, providing a gateway for hackers which is absolutely terrifying.

The security holes could be exploited by hackers that could allow them to spoof flight information like map routes, speed statistics, and altitude values, and steal credit card information.
IOActive's Ruben Santamarta managed to "hijack" in-flight displays to change information like altitude and location, control the cabin lighting, as well as hack into the announcements system.
"Chained together this could be an unsettling experience for passengers," said Santamarta. "I don't believe these systems can resist solid attacks from skilled malicious actors. This only depends on the attacker's determination and intentions, from a technical perspective it's totally feasible."
Besides these critical issues, the researcher said in some instances; hackers could access credit card details of passengers stored in the automatic payment system and use their frequent flyer membership details to capture personal data.

The vulnerabilities affect 13 different airlines that use Panasonic Avionics system, which include American Airlines, United, Virgin, Emirates, Etihad, Qatar, FinnAir, KLM, Iberia, Scandinavian, Air France, Singapore, and Aerolineas Argentinas.
The vulnerabilities were reported to Panasonic in March last year, and the researcher waited more than a year and a half to go public, so the company had "enough time to produce and deploy patches, at least for the most prominent vulnerabilities."
Emirates is working with Panasonic to resolve these issues and regularly update its systems. "The safety of our passengers and crew on board is a priority and will not be compromised," Emirates said, reported the Telegraph.
Santamarta is the same researcher who warned of security issues in systems used by different aircraft in the past.
Back in 2014, he discovered that it was possible to reverse engineer a bug, which let him connect to the Wi-Fi signal or the in-flight entertainment system to connect to airplanes’ equipment, including the navigation system.
For in-depth technical details about the new vulnerabilities discovered by Santamarta, you can head on to IOActive's official blog post published today.

Russia Wants Apple to Unlock iPhone belonging to Killer of Russian Ambassador

You might have also seen a viral video of the assassination of the Russian ambassador to Turkey that quickly spread through the Internet worldwide.
Russian Ambassador Andrei Karlov was shot dead by an off-duty police officer in Ankara on December 19 when the ambassador was giving a speech at an art gallery. The shooter managed to pretend himself as his official bodyguard and later shot to death by Turkish special forces.
After this shocking incident, Apple has been asked to help unlock an iPhone 4S recovered from the shooter, which could again spark up battle similar to the one between Apple and the FBI earlier this year.
Turkish and Russian authorities have asked Apple to help them bypass the PIN code on an iPhone 4S, which, the authorities believe, could assist them to investigate killer's links to various terrorist organizations.
Apple is expected to refuse the request, but according to MacReports and other local media, the Russian government is reportedly sending a team of experts to Turkey to help authorities unlock the iPhone.
In Apple vs. FBI case, Apple declined to help the FBI unlock an iPhone belonging to the San Bernardino shooter Syed Rizwan Farook, saying that any backdoor it developed would eventually end up falling into the wrong hands.
The FBI reportedly got outside help to unlock the iPhone, for which the agency paid almost $1.3 Million to a group of hackers to unlock that device but found nothing that could help them in the investigation.
The man who killed the Russian ambassador on Monday was later identified as 22-year-old Mevlut Mert Altıntas, an off-duty police officer who used his police ID to gain access to the Ankara art gallery where Karlov was giving a speech.
During the assassination, the shooter shouted "Don't forget Aleppo," and according to both Russian and Turkish authorities, the assassination was designed to destabilize the relationship between the two countries.

Hackers threaten to take down Xbox Live and PSN on Christmas Day

Bad news for gamers!
It's once again the time when most of you will get new PlayStations and XBoxes that continue to be among the most popular gifts for Christmas, but possibilities are you'll not be able to log into the online gaming console, just like what happens on every Christmas holidays.
On 2014 Christmas holidays, the notorious hacker group Lizard Squad knocked the PlayStation Network and Xbox Live offline for many gamers by launching massive DDoS attacks against the gaming networks.
This time a new hacking group, who managed to take down Tumblr this week for almost two hours, has warned gamers of launching another large-scale distributed denial-of-service (DDoS) attack against XBox Live and PlayStation networks.
Calling itself R.I.U. Star Patrol, the hacking group, posted a video on YouTube, announcing that they’re planning to take down Sony’s PSN and Microsoft’s Xbox Live on Christmas Day by launching coordinated DDoS attacks.
"We do it because we can," the group said. "We have not been paid a single dollar for what we do."
On Wednesday, when R.I.U. Star Patrol took down Tumblr, the group contacted Mashable and explained its reason for attacking: "There is no sinister motive. It’s all for light hearted fun."
Neither Sony nor Microsoft has yet responded to the hackers' warning.
However, both Sony and Microsoft previously promised to enhance the protection of their systems to block any attack disrupting their networks, but downtime and short outages happened almost every Christmas time.
Knowing the current abilities of hackers to launch DDoS attack that can reach 1 Tbps, it goes without saying that both the companies should be prepared to see DDoS attacks targeting its servers on this Christmas that can go beyond their expectations.
We saw coordinated DDoS attacks against DNS hosting provider Dyn last fall that broke large portions of the Internet, causing a significant outage to a ton of websites and services, including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify.
The massive DDoS attack was launched just by a botnet of an estimated 100,000 so-called Internet of Things (IoT) – everyday devices and appliances that are connected to the web – that closed down the Internet for millions of users.
So, it remains to be seen if gamers would be able to enjoy this Christmas or not.

Hacker Demonstrates How Easy In-flight Entertainment System Can Be Hacked

Next time when you hear an announcement in the flight, “Ladies and gentlemen, this is your captain speaking…," the chances are that the announcement is coming from a hacker controlling your flight.
Dangerous vulnerabilities in an in-flight entertainment system used by the leading airlines, including Emirates, United, American Airlines, Virgin, and Qatar, could let hackers hijack several flight systems and even take control of the plane.
According to security researchers from IOActive, the security vulnerabilities resides in the Panasonic Avionics In-Flight Entertainment (IFE) system used in planes run by 13 major airlines, providing a gateway for hackers which is absolutely terrifying.

The security holes could be exploited by hackers that could allow them to spoof flight information like map routes, speed statistics, and altitude values, and steal credit card information.
IOActive's Ruben Santamarta managed to "hijack" in-flight displays to change information like altitude and location, control the cabin lighting, as well as hack into the announcements system.
"Chained together this could be an unsettling experience for passengers," said Santamarta. "I don't believe these systems can resist solid attacks from skilled malicious actors. This only depends on the attacker's determination and intentions, from a technical perspective it's totally feasible."
Besides these critical issues, the researcher said in some instances; hackers could access credit card details of passengers stored in the automatic payment system and use their frequent flyer membership details to capture personal data.

The vulnerabilities affect 13 different airlines that use Panasonic Avionics system, which include American Airlines, United, Virgin, Emirates, Etihad, Qatar, FinnAir, KLM, Iberia, Scandinavian, Air France, Singapore, and Aerolineas Argentinas.
The vulnerabilities were reported to Panasonic in March last year, and the researcher waited more than a year and a half to go public, so the company had "enough time to produce and deploy patches, at least for the most prominent vulnerabilities."
Emirates is working with Panasonic to resolve these issues and regularly update its systems. "The safety of our passengers and crew on board is a priority and will not be compromised," Emirates said, reported the Telegraph.
Santamarta is the same researcher who warned of security issues in systems used by different aircraft in the past.
Back in 2014, he discovered that it was possible to reverse engineer a bug, which let him connect to the Wi-Fi signal or the in-flight entertainment system to connect to airplanes’ equipment, including the navigation system.
For in-depth technical details about the new vulnerabilities discovered by Santamarta, you can head on to IOActive's official blog post published today.

How to Hack Apple Mac Encryption Password in Just 30 Seconds

Macintosh computers are often considered to be safer than those running Windows operating system, but a recently discovered attack technique proves it all wrong.
All an attacker needs is a $300 device to seize full control of your Mac or MacBook.
Swedish hacker and penetration tester Ulf Frisk has developed a new device that can steal the password from virtually any Mac laptop while it is sleeping or even locked in just 30 seconds, allowing hackers to unlock any Mac computer and even decrypt the files on its hard drive.
So, next time when you leave your Apple's laptop unattended, be sure to shut it down completely rather than just putting the system in sleep mode or locked.
Here's How an Attacker can steal your Mac FileVault2 Password
The researcher devised this technique by exploiting two designing flaws he discovered last July in Apple's FileVault2 full-disk encryption software.
The first issue is that the Mac system does not protect itself against Direct Memory Access (DMA) attacks before macOS is started.
It's because the Mac EFI or Extensible Firmware Interface (similar to a PC's BIOS) let devices plugged in over Thunderbolt to access memory without enabling DMA protections, which allows Thunderbolt devices to read and write memory.
Secondly, the password to the FileVault encrypted disk is stored in clear text in memory, even when the computer is in sleep mode or locked. When the computer reboots, the password is put in multiple memory locations within a fixed memory range, making it readable by hacking devices.
Dubbed PCILeech and costs approximately $300, the hacking device exploits these two vulnerabilities to carry out DMA attacks and extract Mac FileVault2 passwords from a device's memory in clear text before macOS boots, and anti-DMA protections come into effect.
To do this, all an attacker needs is access to a target Mac computer for just a few minutes to connect the PCILeech hacking device to the computer via its Thunderbolt port, which would allow the attacker to have full access to its data.
Video Demonstration of the Attack
Frisk also provided a video demonstration, which shows how he just plugged in a card flashed with his open source PCILeech software tool into the Mac's Thunderbolt port, which ran the hacking tool on the target Mac or MackBook, rebooted the system, and read the Mac password on the other laptop.

Yes, the attack only works if an attacker has physical access to a target Mac or MacBook, but all it takes is just 30 seconds to carry out successfully.
"Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access - unless the Mac is completely shut down," Frisk explained in a blog post on Thursday.
"If the Mac is sleeping it is still vulnerable. Just stroll up to a locked Mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!"
Frisk reported his findings to Apple in August and the company fixed the issues in macOS 10.12.2 released on 13 December.
So Apple desktop users are required to update their devices to the latest version of its operating system to be safe.

New Hack: How to Bypass iPhone Passcode to Access Photos and Messages

Setting a passcode on your iPhone is the first line of defense to help prevent other people from accessing your personal details.
However, it's pretty much easy for anyone with access to your iPhone to bypass the passcode protection (doesn't matter if you configured Touch ID or not) and access your personal photos and messages.
A new critical security flaw discovered in iOS 8 and newer, including 10.2 beta 3, allows anyone to bypass iPhone's passcode and gain access to personal information using the benevolent nature of Apple's personal assistant Siri.
The security glitch has been discovered by EverythingApplePro and iDeviceHelps and now that they have gone public with a video demonstration, you can expect Apple to fix this issue in the next iOS beta version.
All an attacker need is to find out the phone number of the target's iPhone and access to the phone for a few minutes.
But, what if you don't have target's phone number? No worries. You can hold down the home button of target's iPhone to activate Siri and simply ask "Who am I?" Siri will reply you with the phone number it is using.
Here's How to bypass iPhone's Lockscreen:
Once you got the phone number, follow these simple steps to reading personal messages and accessing personal photos on target's iPhone:
Step 1: Since now you have target's phone number, call on his/her iPhone – starting a FaceTime call will also do it.
Step 2: Now, targets iPhone screen will show a message icon, just click on 'Message icon' and then 'Custom Message' to go to the New Message screen where you are allowed to type a reply.
Step 3: Next, you need to activate Siri by long-pressing the Home button and say "Turn on Voice Over," and Siri will get the job done by turning it ON.
Step 4: Go back to the message screen and double tap the bar where you are required to enter the caller's name and then hold, while immediately click on the keyboard. This may not succeed in the first time, so repeat this step until you see a slide-in effect on the iPhone's screen above the keyboard.
Step 5: Now, ask Siri to "Turn off VoiceOver," come back to messages and simply type in the first letter of a caller's name in the top bar, tap ⓘ icon next to it, and then create a new contact.
Step 6: Next, you can select add photo and choose a photo. Yes, now you are in and can look at the victim's photo gallery just like you are browsing the phone, even though the iPhone is still in the locked state.
Step 7: You can select any contact on the iPhone, and you would be able to see all previous conversations of the target with that contact.

Antivirus Firm Kaspersky launches Its Own Secure Operating System

The popular cyber security and antivirus company Kaspersky has unveiled its new hack-proof operating system: Kaspersky OS.
The new operating system has been in development for last 14 years and has chosen to design from scratch rather than relying on Linux.
Kaspersky OS makes its debut on a Kraftway Layer 3 Switch, CEO Eugene Kaspersky says in his blog post, without revealing many details about its new operating system.
The Layer of 3-switch is the very first tool for running the Kaspersky OS, which is designed for networks with extreme requirements for data security and aimed at critical infrastructure and Internet of Things (IoT) devices.
What's new in Kaspersky OS than others?
Kaspersky OS is based on Microkernel Architecture: The new secure OS is based on microkernel architecture that enables users to customize their own operating system accordingly.
So, depending on a user's specific requirements, Kaspersky OS can be designed by using different modifications blocks of the operating system.
Kaspersky OS is non-Linux: Yes, one of the three major distinctive features of the new OS mentioned by Kaspersky is that the GUI-less operating system has been constructed from scratch and does not contain "even the slightest smell of Linux."
"All the popular operating systems are not designed with security in mind, so it is simpler and safer to start from the ground up and do everything correctly. Which is just what we did," says Kaspersky.
But what makes Kaspersky OS Hack-Proof?
It is the operating system's inbuilt security system. Yes, Kaspersky OS inbuilt security system has the ability to control the behavior of applications and the OS modules.
Kaspersky OS claims itself as practically unhackable OS, because for gaining unauthorized access, any hacker would need to break the digital signature of an account holder, which is possible only with a quantum computer.
"In order to hack this platform a cyber-baddie would need to break the digital signature, which – anytime before the introduction of quantum computers – would be exorbitantly expensive," says Kaspersky.
Kaspersky talked about the recent DDoS attacks that affected numerous websites in past few months. He guaranteed that Kaspersky OS would protect devices, such as industrial control systems, SCADA or ICS, and IoTs, from cyber attacks.
The most severe one was the recent massive DDoS attack on Dyn's DNS servers, which knock down popular sites like Amazon and Twitter. The attack was carried out by Mirai botnets that had infected smart devices like security cameras.
So, Kaspersky says it is mandatory to protect the IoT and other critical infrastructure (like industry, transport, and telecoms) from IT threats.
"I also hope it's clear that it's better – no matter how difficult – to build IoT/infrastructure devices from the very beginning in such a way that hacking them is practically impossible. Indeed, that is a fundamental goal with Kaspersky OS," he says.
More details about Kaspersky's secure operating system is coming soon. Stay Tuned!

DNSChanger Malware is Back! Hijacking Routers to Target Every Connected Device

Next time when you see an advertisement of your favorite pair of shoes on any website, even if it is legitimate, just DO NOT CLICK ON IT.
…Because that advertising could infect you in such a way that not just your system, but every device connected to your network would get affected.
A few days ago, we reported about a new exploit kit, dubbed Stegano, that hides malicious code in the pixels of banner advertisements rotating on several high profile news websites.
Now, researchers have discovered that attackers are targeting online users with an exploit kit called DNSChanger that is being distributed via advertisements that hide malicious code in image data.
Remember DNSChanger? Yes, the same malware that infected millions of computers across the world in 2012.
DNSChanger works by changing DNS server entries in infected computers to point to malicious servers under the control of the attackers, rather than the DNS servers provided by any ISP or organization.
So, whenever a user of an infected system looked up a website on the Internet (say, facebook.com), the malicious DNS server tells you to go to, say, a phishing site. Attackers could also inject ads, redirect search results, or attempt to install drive-by downloads.
The most worrisome part is that hackers have combined both threats in their recent widespread malvertising campaign, where DNSChanger malware is being spread using Stegno technique, and once it hit your system, instead of infecting your PC, it takes control of your unsecured routers.
Researchers at Proofpoint have discovered this unique DNSChanger exploit kit on more than 166 router models. The kit is unique because the malware in it does not target browsers, rather it targets routers that run unpatched firmware or are secured with weak admin passwords.
Here's How the Attack Works:
Firstly, the ads on mainstream websites hiding malicious code in image data redirects victims to web pages hosting the DNSChanger exploit kit. The exploit kit then targets unsecured routers.
Once the router is compromised, the DNSChanger malware configures itself to use an attacker-controlled DNS server, causing most computers and devices on the network to visit malicious servers, rather than those corresponding to their official domain.
Those ads containing malicious JavaScript code reveals a user's local IP address by triggering a WebRTC request (the web communication protocol) to a Mozilla STUN (Session Traversal Utilities for NAT) server.
STUN server then send a ping back containing the IP address and port of the client. If the target's IP address is within a targeted range, the target receives a fake ad hiding exploit code in the metadata of a PNG image.
The malicious code eventually redirects the visitor to a web page hosting DNSChanger, which uses the Chrome browser for Windows and Android to serve a second image concealed with the router exploit code.
"This attack is determined by the particular router model that is detected during the reconnaissance phase," a Proofpoint researcher wrote in a blog post. "If there is no known exploit, the attack will attempt to use default credentials."
List of Routers Affected
The attack then cloaks traffic and compares the accessed router against 166 fingerprints used to determine if a target is using vulnerable router model. According to researchers, some of the vulnerable routers include:
D-Link DSL-2740R
NetGear WNDR3400v3 (and likely other models in this series)
Netgear R6200
COMTREND ADSL Router CT-5367 C01_R12
Pirelli ADSL2/2+ Wireless Router P.DGA4001N
It is not clear at the moment that how many people have been exposed to the malicious ads or how long the campaign has been running, but Proofpoint said the attackers behind the campaign have previously been responsible for infecting more than 1 million people a day.
Proofpoint did not disclose the name of any ad network or website displaying the malicious advertisements.
Users are advised to ensure that their routers are running the lates

FBI Most Wanted Fugitive JPMorgan Hacker Arrested in New York

One of the FBI's most wanted hackers who was behind the largest theft of financial data has finally been arrested at the JFK airport in New York.
Joshua Samuel Aaron is accused of being part of a hacking group that attacked several major financial institutions, including JPMorgan Chase, and according to the officials, which was "the largest theft of user data from a U.S. financial institution in history."
Aaron was believed to have been living as a fugitive in Moscow, Russia after being charged with hacking crimes in 2015, which exposed the personal information of more than 100 Million people.
On June 2015, a federal arrest warrant was issued for Aaron by the United States District Court, and the FBI and US secret service agents arrested him upon his arrival at the JFK airport in NY, announced the US Department of Justice.
"Aaron allegedly worked to hack into the networks of dozens of American companies, ultimately leading to the largest theft of personal information from US financial institutions ever," said Manhattan US Attorney Preet Bharara.
"For pursuing what we have called ‘hacking as a business model,’ and thanks to the efforts of the FBI and the US Secret Service, Aaron will now join his co-defendants to face justice in a Manhattan federal courtroom."
In 2015, the US Court of the Southern District of New York charged three men -- Gery Shalon, Ziv Orenstein, and Joshua Samuel Aaron -- with 23 counts, including hacking, identity theft, securities fraud, and money laundering, among others.
All the three hackers were accused of running an illegal payment processing business that the men used to stole $18 Million (£14.3 Million) from victims.
The three of them also hacked into a credit card company investigating their payment processing business in an effort to avoid detection.
Shalon and Orenstein were arrested in Israel in July 2015 and already extradited to the United States in June 2016.
Aaron is scheduled to appear in a Manhattan court on Thursday, according to the US authorities.

New Kickass Torrents Site is Back Online by Original Staffers

KickassTorrents is back from the dead!

Back in July, the world's largest and most notorious BitTorrent distribution site KickassTorrents (KAT) with millions of unique daily visitors was shut down by the U.S. authorities following the arrest of its alleged owner Artem Vaulin.

Shortly after the shutdown, a group of devoted original KAT staffers launched the Katcr.co forum in hopes of bringing back KickassTorrents to its former glory, in the near future.

Now, Katcr.co has launched a fully operational torrent website, which looks identical to the original Kickass Torrents (KAT) portal, TorrentFreak reports.

Note: In case the new KickassTorrents website does not immediately load, give it a few tries, as the site is experiencing a massive surge in traffic.

Launched today and located at KATcr.co/new, the new Kickass Torrents site starts with a clean user database while many members of the original staff are back on board, including its dedicated uploaders.

Here's what the KATcr team said on the sit’s launch:

"We have all our major uploaders on board, and they continued to share tirelessly even before the torrent engines returned. The torrent community can continue to expect to see uploads from all the names they know and trust."

Meanwhile, in a separate news, the Federal Court of Australia has ordered Internet service providers (ISPs) to block access to 5 Torrent websites, including The Pirate Bay, Torrentz, TorrentHound, IsoHunt, and SolarMovie, within next 15 days.

Following the shutdown of the original KickassTorrents portal earlier this year, several mirror sites came up online, claiming to be the real reincarnation.

However, in reality, many of those mirrors include malicious copycats that target unsuspecting pirates and attempts to steal their personal information and credit card credentials.

The KATcr team behind the new katcr.co/new site promises that the pirates are safe and secure at its new portal.

"In order to keep our members safe we chose to rebuild and keep only safe elements. Despite the fact that a rebuild took longer, the safety of our community comes first," one of the team members told TorrentFreak.

The KATcr crew members also believe that the original operators of the KickassTorrents website will walk free.

1-Billion Yahoo Users' Database Reportedly Sold For $300,000 On Dark Web

Recently Yahoo disclosed a three-year-old massive data breach in its company that exposed personal details associated with more than 1 Billion user accounts, which is said to be the largest data breach of any company ever.

The new development in Yahoo!'s 2013 data breach is that the hacker sold its over Billion-user database on the Dark Web last August for $300,000, according to Andrew Komarov, Chief Intelligence Officer (CIO) at security firm InfoArmor.

Komarov told the New York Times that three different buyers, including two "prominent spammers" and the third, is believed to be involved in espionage tactics paid $300,000 to gain control of the entire database.

The hacker group that breached Yahoo and sold the database is believed to based in Eastern Europe, but the company still does not know if this information is accurate or not.

Beside full names, passwords, date of births and phone numbers of 1 Million Yahoo users, the database also includes backup email addresses and, in some cases, unencrypted security questions and answers that could provide quick access to users accounts via password reset option.

The database is still up for sale, though its price is believed to have dropped substantially after Yahoo went public with the data breach announcement and triggered a password reset. Interested buyers might now have to pay $20,000 for the full Yahoo database.

Komarov also said his company obtained a copy of the Yahoo database earlier this year, and got in touch with the law enforcement authorities in the United States and other countries in the European Union, Canada, and Australia.

Komarov said his company did not go to Yahoo directly "because the internet giant was dismissive of the security firm when approached by an intermediary," adding that he didn't trust Yahoo to investigate the data breach thoroughly.

"Personal information and contacts, e-mail messages, objects of interest, calendars and travel plans are key elements for intelligence-gathering in the right hands," Komarov was quoted as saying.

"The difference of Yahoo hack between any other hack is in that it may really destroy your privacy, and potentially have already destroyed it several years ago without your knowledge."

Yahoo users are strongly recommended to reset their passwords and invalidate affected security questions as soon as possible.

Also, in case you are using the same password and answers for security questions somewhere else, change them too urgently

DNSChanger Malware is Back! Hijacking Routers to Target Every Connected Device

Next time when you see an advertisement of your favorite pair of shoes on any website, even if it is legitimate, just DO NOT CLICK ON IT.

…Because that advertising could infect you in such a way that not just your system, but every device connected to your network would get affected.

A few days ago, we reported about a new exploit kit, dubbed Stegano, that hides malicious code in the pixels of banner advertisements rotating on several high profile news websites.

Now, researchers have discovered that attackers are targeting online users with an exploit kit called DNSChanger that is being distributed via advertisements that hide malicious code in image data.

Remember DNSChanger? Yes, the same malware that infected millions of computers across the world in 2012.

DNSChanger works by changing DNS server entries in infected computers to point to malicious servers under the control of the attackers, rather than the DNS servers provided by any ISP or organization.

So, whenever a user of an infected system looked up a website on the Internet (say, facebook.com), the malicious DNS server tells you to go to, say, a phishing site. Attackers could also inject ads, redirect search results, or attempt to install drive-by downloads.

The most worrisome part is that hackers have combined both threats in their recent widespread malvertising campaign, where DNSChanger malware is being spread using Stegno technique, and once it hit your system, instead of infecting your PC, it takes control of your unsecured routers.

Researchers at Proofpoint have discoveredthis unique DNSChanger exploit kit on more than 166 router models. The kit is unique because the malware in it does not target browsers, rather it targets routers that run unpatched firmware or are secured with weak admin passwords.

Here's How the Attack Works:

Firstly, the ads on mainstream websites hiding malicious code in image data redirects victims to web pages hosting the DNSChanger exploit kit. The exploit kit then targets unsecured routers.

Once the router is compromised, the DNSChanger malware configures itself to use an attacker-controlled DNS server, causing most computers and devices on the network to visit malicious servers, rather than those corresponding to their official domain.

Those ads containing malicious JavaScript code reveals a user's local IP address by triggering a WebRTC request (the web communication protocol) to a Mozilla STUN (Session Traversal Utilities for NAT) server.

STUN server then send a ping back containing the IP address and port of the client. If the target's IP address is within a targeted range, the target receives a fake ad hiding exploit code in the metadata of a PNG image.

The malicious code eventually redirects the visitor to a web page hosting DNSChanger, which uses the Chrome browser for Windows and Android to serve a second image concealed with the router exploit code.

"This attack is determined by the particular router model that is detected during the reconnaissance phase," a Proofpoint researcher wrote in a blog post. "If there is no known exploit, the attack will attempt to use default credentials."

List of Routers Affected

The attack then cloaks traffic and compares the accessed router against 166 fingerprints used to determine if a target is using vulnerable router model. According to researchers, some of the vulnerable routers include:D-Link DSL-2740RNetGear WNDR3400v3 (and likely other models in this series)Netgear R6200COMTREND ADSL Router CT-5367 C01_R12Pirelli ADSL2/2+ Wireless Router P.DGA4001N
It is not clear at the moment that how many people have been exposed to the malicious ads or how long the campaign has been running, but Proofpoint said the attackers behind the campaign have previously been responsible for infecting more than 1 million people a day.

Proofpoint did not disclose the name of any ad network or website displaying the malicious advertisements.

Users are advised to ensure that their routers are running the latest version of the firmware and are protected with a strong password. They can also disable remote administration, change its default local IP address, and hardcode a trusted DNS server into the operating system network settings.