COVID-19 DNS Hack Audit

Find DNS Changes Performed by Cyber Attack

The COVID-19 crisis has also given people with ill intent more ammunition. People have reported a new type of cyber attack which targets DNS settings to make web browsers display alerts for a fake COVID-19 information app from the World Health Organization. The attackers are known to use 109.234.35.230 and 94.103.82.249 as DNS settings. Computers connecting to routers using these settings will then also utilize these settings and will be prompted through misuse of the Microsoft NCSI feature which will redirect to a website under the attacker's control instead of the usual Microsoft website. Users will be prompted to download a COVID-19 app which actually is a Oski information-stealing Trojan.

To detect whether users are affected by this cyber attack, the audit below shows Windows computers who have one of the specified IP's in their DNS settings. Once detected, you can take action, revert the DNS changes and review your network security as it is most likely compromised.

DNS Hack Audit

 

DNS Hack Query

Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.IPAddress,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tsysOS.OSname As OS,
  tblAssets.SP,
  tblAssets.Lastseen,
  tblAssets.Lasttried,
  tblNetwork.DNSServerSearchOrder As DNSserver,
  tblNetwork.IPAddress As NetworkIPAddress,
  tblNetwork.IPSubnet,
  tblNetwork.Lastchanged
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Left Join tsysOS On tblAssets.OScode = tsysOS.OScode
  Inner Join tsysIPLocations On tsysIPLocations.LocationID =
    tblAssets.LocationID
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tblNetwork On tblAssets.AssetID = tblNetwork.AssetID
Where tblState.Statename = 'Active' And tblNetwork.IPAddress <> '0.0.0.0' And
  tblNetwork.IPAddress <> '' And tblNetwork.IPEnabled = 'True' And
  tblNetwork.DNSServerSearchOrder Like '%109.234.35.230%' Or tblNetwork.DNSServerSearchOrder Like '%94.103.82.249%'
Order By tblAssets.AssetName,
  tblAssets.Domain,
  DNSserver

Audit and Take Action in 3 Easy Steps

Download-Install-Lansweeper

1. Download & Install Lansweeper

Save-and-Run-the-Report

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit

Harness the Power of Reporting