A sophisticated and stealthy attack campaign is hijacking home internet connections by compromising vulnerable routers and redirecting user traffic through a network of malicious DNS resolvers operated by Aeza International, a hosting firm previously sanctioned by the U.S. government. This “shadow” network allows threat actors to manipulate where users go online, potentially steering them toward fraudulent websites and scams.
Infoblox analysts uncovered this widespread operation after observing anomalous DNS patterns correlating with user reports of erratic internet behavior. The campaign primarily targets older router models, effectively undermining the trust and security of the entire home network. While users often blame their devices for issues like inaccessible Google Sheets or persistent browser redirects, the root cause lies in their compromised routers.
The Silent Redirection of Internet Traffic
Instead of using legitimate internet service provider (ISP) DNS servers, the infected routers are configured to send all web traffic queries to malicious resolvers. These resolvers, hosted by Aeza International, can selectively alter which websites users can reach. The attackers often avoid redirecting traffic to universally popular sites like Google, which could quickly raise suspicion.
However, specific targets trigger a more complex redirection process. This involves a secondary HTTP-based Traffic Distribution System (TDS) that first fingerprints the victim’s device. Only after this device identification does the TDS deliver the final malicious payload, a sophisticated method for ensuring the attack’s effectiveness and evasion.
The EDNS0 Evasion Technique for Shadow DNS
The technical ingenuity behind this campaign lies in its highly effective evasion method. Security researchers initially struggled to replicate the malicious DNS responses because the rogue servers would not respond to standard queries. The breakthrough came when analysts discovered that these shadow resolvers only answered if the Extension Mechanisms for DNS (EDNS0) protocol was explicitly disabled.
EDNS0 is a standard protocol extension used by virtually all modern, legitimate DNS resolvers. It enables larger packet sizes and incorporates security features, making it a cornerstone of contemporary internet infrastructure. Crucially, standard security scanning tools automatically include EDNS0 in their queries, rendering the attackers’ infrastructure invisible to automated detection and most security researchers.
By configuring their servers to ignore queries that included EDNS0, the attackers effectively created a blind spot. This allowed the malicious network to operate undetected for years, serving correct IP addresses to researchers while delivering hijacked responses to actual victims. These victims were likely using older, non-compliant equipment or had specific configurations that inadvertently allowed the shadow DNS attack to succeed.
The implications of this shadow DNS attack are significant, impacting the privacy and security of countless home internet users. The ability to selectively redirect traffic opens the door to a wide range of malicious activities beyond simple scams, including the potential for mass surveillance and the dissemination of misinformation.
To mitigate this threat, experts strongly recommend that users audit their router configurations for any unauthorized DNS settings. Keeping router firmware updated to the latest versions is a critical step in patching vulnerabilities that attackers exploit. Furthermore, replacing obsolete hardware that no longer receives security patches is essential to prevent initial compromise and maintain a secure home network environment.
The ongoing nature of this campaign suggests that threat actors will continue to adapt their techniques. Users and security professionals will need to remain vigilant, monitoring for new evasion methods and ensuring robust security practices are in place to protect against evolving cyber threats targeting the fundamental infrastructure of internet access.