The attacks seem to be based on bruteforcing remote management credentials. Once this is achieved, the attackers can perform a spoofing attack to redirect web traffic to malicious websites that aim to install malware or attempt to phish passwords:
The malicious DNS servers send targets to the domain they requested. Behind the scenes, however, the sites are spoofed, meaning they’re served from malicious IP addresses, rather than the legitimate IP address used by the domain owner. Liviu Arsene, the Bitdefender researcher who wrote Wednesday's post, told me that spoofed sites close port 443, the Internet gate that transmits traffic protected by HTTPS authentication protections. The closure causes sites to connect over HTTP and in so doing, prevents the display of warnings from browsers or email clients that a TLS certificate is invalid or untrusted.Users are advised to use passwords that are secure enough (and to definitely not leave it on the default credentials).