Over 700.000 DrayTek routers suffer from zero-day attack

Published by

teaser

DrayTek has issued a warning on their website, their vigor routers are susceptible for hacking attempts where the DNS settings of DrayTek routers are changed due to a vulnerability. Once the DNS is changed, attackers will intercept traffic and automatically redirect victims to malicious websites. 



More than 700,000 devices are potentially affected. DrayTek states it found out about the attacks this month. The attacks are only against web-enabled devices and the attacks appear to work even if the remote access functionality of the router is disabled. Although DrayTek states it won’t provide further details, the attack is likely similar to similar attacks against routers of other vendors. Similar to other attacks, the attackers are very likely able to change the DNS settings through a so-called CSRF attack. This means the attackers change the settings without entering the control panel, reports myce:

The DNS is changed to a DNS server under control of the attackers. That gives them pretty much full control over the user’s internet connection. They can e.g. log which websites the victim visits, redirect victims to fake banking websites, hijack search queries and inject advertisements on websites.

While DrayTek is working on a firmware update, the company recommends users to check the DNS and DHCP settings of their router, disable remote access at least until a patch is available, make sure the connection to your router is encrypted (address starts with HTTPS://) and to report anything suspicious to the company. If the DNS and DHCP settings have been changed by the attackers, DrayTek advises to restore a backup or to check and correct the settings. DrayTek also advises checking that no other admin users have been added and recommends to read their CSRF explanation page.

The majority of the affected devices will likely be from DrayTek’s Vigor series which consists of mainly routers and/or DSL modems.  Device tracking service Shodan reports there are about 790,000 DrayTek Vigor devices connected to the internet of which about 260,000 are in the United Kingdom and about 140,000 are in the Netherlands. Other countries where DrayTek Vigor products are widely in use are Vietnam, Germany and Taiwan.

Because DrayTek has not released a patch for the issue and because it’s already exploited in the wild, the attacks are now regarded as so-called zero day attacks.

Over 700.000 DrayTek routers suffer from zero-day attack


Share this content
Twitter Facebook Reddit WhatsApp Email Print