Find DNS Changes Performed by Cyber Attack
The COVID-19 crisis has also given people with ill intent more ammunition. People have reported a new type of cyber attack which targets DNS settings to make web browsers display alerts for a fake COVID-19 information app from the World Health Organization. The attackers are known to use 220.127.116.11 and 18.104.22.168 as DNS settings. Computers connecting to routers using these settings will then also utilize these settings and will be prompted through misuse of the Microsoft NCSI feature which will redirect to a website under the attacker's control instead of the usual Microsoft website. Users will be prompted to download a COVID-19 app which actually is a Oski information-stealing Trojan.
To detect whether users are affected by this cyber attack, the audit below shows Windows computers who have one of the specified IP's in their DNS settings. Once detected, you can take action, revert the DNS changes and review your network security as it is most likely compromised.
DNS Hack Query
Select Top 1000000 tblAssets.AssetID, tblAssets.AssetName, tblAssets.Domain, tblAssets.Username, tblAssets.Userdomain, Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon, tblAssets.IPAddress, tblAssetCustom.Manufacturer, tblAssetCustom.Model, tsysOS.OSname As OS, tblAssets.SP, tblAssets.Lastseen, tblAssets.Lasttried, tblNetwork.DNSServerSearchOrder As DNSserver, tblNetwork.IPAddress As NetworkIPAddress, tblNetwork.IPSubnet, tblNetwork.Lastchanged From tblAssets Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID Left Join tsysOS On tblAssets.OScode = tsysOS.OScode Inner Join tsysIPLocations On tsysIPLocations.LocationID = tblAssets.LocationID Inner Join tblState On tblState.State = tblAssetCustom.State Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype Inner Join tblNetwork On tblAssets.AssetID = tblNetwork.AssetID Where tblState.Statename = 'Active' And tblNetwork.IPAddress <> '0.0.0.0' And tblNetwork.IPAddress <> '' And tblNetwork.IPEnabled = 'True' And tblNetwork.DNSServerSearchOrder Like '%22.214.171.124%' Or tblNetwork.DNSServerSearchOrder Like '%126.96.36.199%' Order By tblAssets.AssetName, tblAssets.Domain, DNSserver