More than 300 organizations were hacked by ransomware groups using undocumented vulnerabilities in DrayTek devices, including a potential zero-day flaw, according to a warning from cybersecurity vendor Forescout.
In October, Forescout published an advisory documenting 14 security defects in DrayTek Vigor router models potentially impacting hundreds of thousands of devices, many of which had not been patched against vulnerabilities found years ago.
After publishing the research, the company said it received a report from threat intelligence provider Prodaft regarding an exploitation campaign targeting more than 20,000 DrayTek devices for credential theft and ransomware deployment.
At least three different threat actors were involved in the coordinated campaign, which was identified between August and September 2023 and involved the exploitation of a suspected zero-day bug for initial access.
One of the hacking groups, tracked as Monstrous Mantis, acted as a facilitator, identifying vulnerable devices, exploiting them for credential harvesting, and providing other attackers with access to them.
“By selectively sharing decrypted credentials with trusted partners, Monstrous Mantis maintained tight control over victim allocation and ensured operational secrecy. This strategy allowed them to profit indirectly from ransomware attacks executed by their partners while minimizing their own exposure,” according to the Forescout report.
Prodaft observed the threat actor providing instructions on how the stolen credentials can be used to create new VPN profiles, and mentioning a zero-day vulnerability that has not been verified.
Monstrous Mantis shared the stolen credentials with trusted collaborators such as Ruthless Mantis (PTI-288) and LARVA-15 (Wazawaka), which then used them to independently target hundreds of victims across Europe and elsewhere.
Ruthless Mantis, which has been tied to the former REvil operation, appears to have successfully compromised at least 337 organizations to deploy ransomware families such as Nokoyawa and Qilin, mainly focusing on the UK and the Netherlands.
LARVA-15 exploited the credentials provided by Monstrous Mantis to target entities in Australia, France, Germany, Italy, the Netherlands, Poland, Turkey, Taiwan, and the UK. Acting as an initial access broker, the threat actor monetized the intrusions by selling the access to other hacking groups.
“Upon analyzing intercepted attacker communications, we concluded that the campaign most likely used a 0-day exploit,” Forescout added.
The company believes the vulnerability likely lies within the mainfunction.cgi web page of the browser-based administrative interface for DrayTek routers. In early November, 22 new CVE entries related to the web page were added to the National Vulnerability Database (NVD) based on an October report.
Most of these defects have the same root cause as vulnerabilities discovered years ago and impact end-of-sale DrayTek devices running firmware version 1.5.3. However, it is unclear whether firmware version 1.5.6, the latest iteration for these devices, is vulnerable.
Related: I-O Data Confirms Zero-Day Attacks on Routers, Patches Pending
Related: DrayTek Flaws in CISA KEV Catalog Exploited in Global Campaign
Related: MoustachedBouncer: Foreign Embassies in Belarus Targeted via ISPs
Related: Security Orchestration: Beware of the Hidden Financial Costs
