D-Link Routers Targeted in Long-Running DNS Hijacking Campaign
D-Link has confirmed critical unauthenticated command injection vulnerabilities in multiple router models, enabling attackers to remotely modify DNS settings without authentication. These flaws, exploited since at least 2016, allow threat actors to redirect user traffic to malicious infrastructure, facilitating malware distribution, phishing, and traffic interception.
Security researchers have tracked ongoing exploitation campaigns targeting home and enterprise networks across multiple continents. The vulnerabilities stem from improper input validation in the routers’ web interfaces, permitting attackers to alter DNS configurations persistently. A large-scale malvertising campaign first reported in December 2016 affected at least 166 router models, including D-Link devices, by redirecting users to malicious ad servers and phishing sites.
By April 2019, threat intelligence teams observed sustained attacks against D-Link routers over three consecutive months. Attackers leveraged Google Cloud Platform to deploy the DNSChanger malware variant, automating exploits and increasing the vulnerability’s severity. Publicly disclosed exploits further amplified the risk.
Affected Models and Regions:
- DSL-2740R (Rev. A, Europe) – Firmware EU v1.15 and older (EDB-35917)
- DSL-2640B (Rev. T, Malaysia) – Firmware GE v1.07 and older (EDB-42197)
- DSL-2780B (Rev. A, AU/NZ/EU) – Firmware v1.01.14 and older (EDB-37237)
- DSL-526B (Rev. B, Australia) – Firmware AU v2.01 and older (EDB-37241)
These models are primarily deployed outside the U.S. through regional carriers with custom firmware. D-Link advises users to perform factory resets, set unique admin passwords, and manually configure DNS settings using trusted providers like Google DNS (8.8.8.8) or Cloudflare (1.1.1.1). Official firmware patches should be obtained through regional carriers.
Source: https://cybersecuritynews.com/d-link-router-command-injection-vulnerability/amp/
D-Link cybersecurity rating report: https://www.rankiteo.com/company/dlink-corp
"id": "DLI1767786327",
"linkid": "dlink-corp",
"type": "Vulnerability",
"date": "4/2019",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Home users and enterprise '
'networks across multiple '
'continents',
'industry': 'Networking Hardware',
'location': 'International',
'name': 'D-Link',
'type': 'Technology Manufacturer'}],
'attack_vector': 'Unauthenticated web interface',
'customer_advisories': 'Perform factory resets, establish unique '
'administrative passwords, and manually configure DNS '
'settings using trusted providers. Contact regional '
'carriers for firmware patches.',
'data_breach': {'personally_identifiable_information': 'Potentially exposed '
'due to traffic '
'interception',
'sensitivity_of_data': 'High (traffic interception)',
'type_of_data_compromised': 'User traffic data'},
'date_detected': '2016-12-01',
'description': 'D-Link has confirmed unauthenticated command injection '
'vulnerabilities affecting multiple router models deployed '
'internationally. Active exploitation campaigns using DNS '
'hijacking have been documented since late 2016, with threat '
'actors continuing malicious activities through 2019 and '
'beyond. The vulnerabilities allow attackers to change Domain '
'Name Server settings without authentication, redirecting user '
'traffic to malicious infrastructure.',
'impact': {'brand_reputation_impact': 'Significant risk due to persistent '
'control over compromised routers',
'identity_theft_risk': 'High due to traffic interception',
'operational_impact': 'Traffic redirection to malicious '
'infrastructure',
'payment_information_risk': 'High due to traffic interception',
'systems_affected': 'Multiple D-Link router models'},
'initial_access_broker': {'backdoors_established': 'DNS configuration '
'modification',
'entry_point': 'Unauthenticated web interface'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Importance of input validation in web interfaces and '
'secure DNS configuration to prevent hijacking.',
'motivation': ['Malware distribution', 'Traffic interception', 'Phishing'],
'post_incident_analysis': {'corrective_actions': ['Firmware patches',
'Secure DNS configuration',
'Enhanced input validation'],
'root_causes': ['Lack of input validation in web '
'configuration interfaces',
'Unauthenticated access to '
'critical network settings']},
'recommendations': ['Perform factory resets on affected routers',
'Establish unique administrative passwords',
'Manually configure DNS settings using trusted providers '
'(e.g., Google DNS or Cloudflare DNS)',
'Contact regional carriers for official firmware patches',
'Monitor for ongoing exploitation campaigns'],
'references': [{'source': 'Exploit-DB',
'url': 'https://www.exploit-db.com/exploits/35917'},
{'source': 'Exploit-DB',
'url': 'https://www.exploit-db.com/exploits/42197'},
{'source': 'Exploit-DB',
'url': 'https://www.exploit-db.com/exploits/37237'},
{'source': 'Exploit-DB',
'url': 'https://www.exploit-db.com/exploits/37241'}],
'response': {'communication_strategy': 'Public advisories via Google News, '
'LinkedIn, and X',
'containment_measures': ['Factory resets',
'Unique administrative passwords',
'Manual DNS configuration using trusted '
'providers'],
'remediation_measures': ['Official firmware patches from '
'regional carriers',
'Manual DNS configuration']},
'stakeholder_advisories': 'Follow D-Link on Google News, LinkedIn, and X for '
'updates.',
'title': 'D-Link Router Unauthenticated Command Injection and DNS Hijacking '
'Vulnerabilities',
'type': ['DNS Hijacking', 'Unauthenticated Command Injection'],
'vulnerability_exploited': ['Lack of input validation in web configuration '
'interfaces',
'Unauthenticated DNS modification']}