Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Undocumented DrayTek Vulnerabilities Exploited to Hack Hundreds of Orgs

Undocumented vulnerabilities in DrayTek devices were exploited in ransomware campaigns that compromised over 300 organizations.

More than 300 organizations were hacked by ransomware groups using undocumented vulnerabilities in DrayTek devices, including a potential zero-day flaw, according to a warning from cybersecurity vendor Forescout.

In October, Forescout published an advisory documenting 14 security defects in DrayTek Vigor router models potentially impacting hundreds of thousands of devices, many of which had not been patched against vulnerabilities found years ago.

After publishing the research, the company said it received a report from threat intelligence provider Prodaft regarding an exploitation campaign targeting more than 20,000 DrayTek devices for credential theft and ransomware deployment.

At least three different threat actors were involved in the coordinated campaign, which was identified between August and September 2023 and involved the exploitation of a suspected zero-day bug for initial access.

One of the hacking groups, tracked as Monstrous Mantis, acted as a facilitator, identifying vulnerable devices, exploiting them for credential harvesting, and providing other attackers with access to them.

“By selectively sharing decrypted credentials with trusted partners, Monstrous Mantis maintained tight control over victim allocation and ensured operational secrecy. This strategy allowed them to profit indirectly from ransomware attacks executed by their partners while minimizing their own exposure,” according to the Forescout report.

Advertisement. Scroll to continue reading.

Prodaft observed the threat actor providing instructions on how the stolen credentials can be used to create new VPN profiles, and mentioning a zero-day vulnerability that has not been verified.

Monstrous Mantis shared the stolen credentials with trusted collaborators such as Ruthless Mantis (PTI-288) and LARVA-15 (Wazawaka), which then used them to independently target hundreds of victims across Europe and elsewhere.

Ruthless Mantis, which has been tied to the former REvil operation, appears to have successfully compromised at least 337 organizations to deploy ransomware families such as Nokoyawa and Qilin, mainly focusing on the UK and the Netherlands.

LARVA-15 exploited the credentials provided by Monstrous Mantis to target entities in Australia, France, Germany, Italy, the Netherlands, Poland, Turkey, Taiwan, and the UK. Acting as an initial access broker, the threat actor monetized the intrusions by selling the access to other hacking groups.

“Upon analyzing intercepted attacker communications, we concluded that the campaign most likely used a 0-day exploit,” Forescout added.

The company believes the vulnerability likely lies within the mainfunction.cgi web page of the browser-based administrative interface for DrayTek routers. In early November, 22 new CVE entries related to the web page were added to the National Vulnerability Database (NVD) based on an October report.

Most of these defects have the same root cause as vulnerabilities discovered years ago and impact end-of-sale DrayTek devices running firmware version 1.5.3. However, it is unclear whether firmware version 1.5.6, the latest iteration for these devices, is vulnerable.

Related: I-O Data Confirms Zero-Day Attacks on Routers, Patches Pending

Related: DrayTek Flaws in CISA KEV Catalog Exploited in Global Campaign

Related: MoustachedBouncer: Foreign Embassies in Belarus Targeted via ISPs

Related: Security Orchestration: Beware of the Hidden Financial Costs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.