Vulnerabilities in DrayTek Routers Threaten Hundreds of Organizations
Just a SOC Analyst ^^
According to a warning from Forescout, over 300 organizations have been attacked by ransomware groups using new vulnerabilities in DrayTek devices, including a previously undiscovered zero-day vulnerability.
Impact Level
In October, Forescout published a document detailing 14 security flaws in DrayTek Vigor routers that could affect hundreds of thousands of devices, many of which have not even been patched for vulnerabilities that appeared years ago.
After publishing the research, the company reported receiving information from Prodaft - a Threat Intelligence service provider - about an exploitation campaign targeting over 20,000 DrayTek devices to steal credentials and deploy ransomware.
At least three different attack groups participated in this campaign, from August to September 2023, involving the exploitation of zero-day vulnerabilities for initial access.
Roles and Objectives of Each Hacker Group
This campaign involves three separate hacker groups – Monstrous Mantis (Ragnar Locker), Ruthless Mantis (PTI-288), and LARVA-15 (Wazawaka) – who follow a specific workflow as shown in the image below:
Figure 1. Roles and objectives of each attack group
List of Exploited Vulnerabilities
This campaign is believed to exploit vulnerabilities in DrayTek routers to perform initial access, specifically targeting the mainfunction.cgi page of the WebUI. WebUI is a browser-based management interface used to configure DrayTek routers and is often publicly accessible on the internet, although the provider has advised restricting access to it.
DrayTek's web application has faced numerous security issues over the past four years with at least 18 vulnerabilities allowing Remote Code Execution (RCE). The list of CVEs includes:
CVE-2020-8515
CVE-2020-14472
CVE-2020-14993
CVE-2020-15415
CVE-2020-19664
CVE-2021-42911
CVE-2021-43118
CVE-2023-1162
CVE-2023-24229
Most of these flaws have the same root cause as previously discovered vulnerabilities and still affect DrayTek devices using software version 1.5.3. However, it is still unclear whether software version 1.5.6, the latest version for these devices, is vulnerable.
Recommendations
FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this campaign:
Network Monitoring: Enhance network traffic monitoring to detect unusual activities.
Device Management: Ensure proper network device configuration, change default passwords, and promptly patch vulnerabilities.
Security Awareness: Train employees to recognize attack methods and suspicious behavior.
Network Segmentation: Separate network components to reduce the risk of spreading when attacked.
