Cyber Incident Victim: Estadão
Date:
Sep 2014
Location:
Brazil
Summary
Hackers compromised a Brazilian newspaper's website by injecting malicious iFrames that executed JavaScript code targeting readers' home routers. The attack leveraged brute-force techniques against default administrative credentials to alter DNS configurations on vulnerable devices, focusing on common local IP addresses and exploiting Internet Explorer browsers. Malicious content was loaded from external domains, aiming to redirect router settings and potentially enable broader network manipulation. The incident highlighted the exploitation of website platforms to distribute attacks against consumer infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2014, attackers compromised the website of Brazilian newspaper Politica Estadao by implanting malicious iFrames into its pages. When visitors loaded the compromised site, these iFrames executed JavaScript code that initiated brute-force password guessing attacks against their home routers. The malicious scripts attempted to identify the local IP address of the user’s computer and then systematically guessed router IP addresses within common local network ranges, including 192.168.0.1 and 192.167.1.1. Attackers targeted routers using default administrative credentials such as "admin," "root," and "gvt," along with common default passwords associated with those usernames. The payload was specifically designed to exploit Internet Explorer browsers, leveraging their functionality to execute the attack. Malicious content was loaded from three external domains, including laspeores.com.ar, which researchers assessed as likely compromised. The primary objective of the brute-force attempts was to gain administrative access to routers and alter their DNS settings. This technique represented an evolution in malware distribution methods, utilizing trusted websites as attack vectors to propagate further network compromises. Security researcher Fioravante Souza of Sucuri discovered and documented the attack, noting its systematic approach to credential guessing. The incident highlighted how attackers could weaponize legitimate media platforms to target infrastructure beyond the immediate website.
The attack’s success relied heavily on victims’ failure to change default credentials on their home routers, leaving devices vulnerable to trivial password-guessing attempts. By altering DNS configurations on compromised routers, attackers could redirect users to malicious sites without their knowledge, enabling broader surveillance or additional exploits. The malicious JavaScript employed multiple username and password combinations in rapid succession, attempting to authenticate with routers’ administrative interfaces. While the exact number of compromised routers remained undetermined, the attack demonstrated scalability through automation against predictable local network configurations. Souza characterized the incident as part of a growing trend where websites serve as initial infection points for attacks against peripheral devices. No specific containment measures by Politica Estadao were detailed in available reports, but the attack methodology suggested potential countermeasures such as modifying default router credentials. The researcher noted that disabling JavaScript or employing script-blocking browser extensions could mitigate similar threats. The incident underscored routers as critical attack surfaces due to widespread default credential usage and their position as network gatekeepers. Security analysts observed that such attacks would likely persist given the low technical barrier and high potential impact of successful router compromises.