Unauthenticated Remote DNS Change Vulnerability (DNSChanger): DSL-2740R (fixed) and non-European DSL routers
08 април, 2019
Overview
The following was originally posted by D-Link in Dec. 2016. This announcement has been updated for the latest information published on April 4, 2019 regarding DNSChanger Malware.
Tom’s Guide article published a report in Dec. 2016 discussing “a new malvertising campaign attacking at least 166 models from multiple manufacturers.”
There's evidence that the malware targets 166 distinct router models, but only a handful can be identified. In the original report D-Link DSL-2740R was identified and a patch were offered.
D-Link has been made aware of a new post by a 3rd party expanding the scope and additionally accusing D-Link DSL-2640B, D-Link DSL-2780B, and D-Link DSL-526B routers which are not sold in Europe with the accused firmware versions.
Accreditation and Coordination
(12/2016) : http://www.tomsguide.com/us/malvertising-router-attack,news-24034.html
Additional internet news posts from 2016 includes:
- https://www.tomsguide.com/us/dlink-routers-hack-attack,news-29816.html
- https://www.bleepingcomputer.com/news/security/malvertising-campaign-infects-your-router-instead-of-your-browser/
- https://www.onthewire.io/new-malvertising-campaign-exploits-home-routers-changes-dns-entries/
- https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices
(04/04/2018) :https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-routers/
badpackets.net/author/badpackets/
Exploit-DB:
DSL-2640B / Hardware Rev. T1 / Firmware GE_1.07 / Non-US : Link
DSL-2740R / Hardware Rev. Ax / Firmware EU_1.15 / Non-US : Link
DSL-2780B / Hardware Rev. Ax / Firmware DLINK_1.01.14 / Non-US : Link
DSL-526B / Hardware Rev. Bx / Firmware AU_2.01 / Non-US : Link
Additional internet news posts from 2019 includes:
https://www.zdnet.com/article/hacker-group-has-been-hijacking-dns-traffic-on-d-link-routers-for-three-months/
https://arstechnica.com/information-technology/2019/04/ongoing-dns-hijackings-target-unpatched-consumer-routers/
https://threatpost.com/hackers-abuse-google-cloud-platform-to-attack-d-link-routers/143492/
https://www.forbes.com/sites/kateoflahertyuk/2019/04/05/hackers-are-targeting-d-link-home-routers-heres-how-to-secure-yours/#10e7e41b2cb0
Affected Product Models and Patches:
DSL-2740R, which was available in Europe, was patched accordingly when it was identified to be vulnerable in 2015. The newly accused products are deployed with firmware that is not offered in Europe. In addition, some of these models are deployed directly from carriers with certified and unique configurations.
If you have received your device from your carrier please contact them directly for patches. It is recommended to contact your regional D-Link Customer Care for specific fixes. Using firmware that is not intended for your region or carrier is at your own risk and may disable the device.
| Model | Hardware Revision | Region | Affected FW | Fixed FW | Last Updated |
| DSL-526B | All Revision B | Australia | AU v2.01 and older (lower) | Under Investigation |
05/04/2019 |
| DSL-2640B | All Revision T | Malaysia | GE v1.07 and older (lower) | Under Investigation |
05/04/2019 |
| DSL-2740R | All Revision A | Europe | EU v1.15 and older (lower) | 1.17 |
01/2015 |
| DSL-2780B | All Revision A | AU/NZ | v1.01.14 and older (lower) | Under Investigation | 05/04/2019 |
Options for D-Link Routers and Gateways that are no longer supported or are under investigation :
1. Contact your DSL Service Provider or Regional D-Link Customer Care for latest information and patches.
2. Factory-Reset the device through its web-configuration interface at http://192.168.0.1, set a new unique password, and complete setup for your DSL carrier.
3. Modify the device through its web-configuration interface at http://192.168.0.1, and manually set Domain Name Server (DNS) values (instructions can be found in the devices User Manuals Here):
- Google DNS : 8.8.8.8 or 8.8.4.4
- Cloudflare DNS: 1.1.1.1
Regarding Security patch for your D-Link Devices
Firmware updates address the security vulnerabilities of affected D-Link devices. D-Link will update this, when applicable, and we strongly recommend all users install the relevant updates.
As there are different hardware revisions of our products, please check your device before downloading the corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, it can also be found on the device web configuration.