On December 29, 2018, the first wave of attacks was launched with the goal of redirecting D-Link DSL-2640B, D-Link DSL-2740R, D-Link DSL-2780B and D-Link DSL-526B to Canada. Rogue DNSserver. The second wave of attacks launched on February 6, 2019 also targeted these same types of D-Link modems.
On March 26th, the third attack was targeted at ARG-W4 ADSL, DSLink 260E, Secutech and TOTOLINK.router.
Although it is not possible to list how many routers are affected by it, some researchers say that more than 14,000 D-Link DSL-2640B routers and 2,265 TOTOLINK routers are exposed on the public network. The researchers also did not specify how the attacker attacked the router. However, he pointed out that in the past few years, DNSChanger malware has been prolific to provide cybercriminals with $14 million in revenue.
Studies have shown that the above attacks use the host of the Google Cloud platform. The attacker first used Google’scloud serviceFeatures to scan vulnerable routers that can be exploited. They then use Google's platform to remotely configure the router to their own DNS server.
Researchers say the platform is vulnerable to abuse, and anyone with a Google account can easily access Google Cloud Shell, a service that provides users with the equivalent of a Linux VPS [Virtual Private Server]. Root privileges in a web browser.
“As a large cloud service provider, dealing with abuse is an ongoing process for Google,” said researcher Mursch. “However, unlike competitors, Google makes it easy for criminals to abuse their platforms.”