Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Undocumented DrayTek Vulnerabilities Exploited to Hack Hundreds of Orgs

Undocumented vulnerabilities in DrayTek devices were exploited in ransomware campaigns that compromised over 300 organizations.

More than 300 organizations were hacked by ransomware groups using undocumented vulnerabilities in DrayTek devices, including a potential zero-day flaw, according to a warning from cybersecurity vendor Forescout.

In October, Forescout published an advisory documenting 14 security defects in DrayTek Vigor router models potentially impacting hundreds of thousands of devices, many of which had not been patched against vulnerabilities found years ago.

After publishing the research, the company said it received a report from threat intelligence provider Prodaft regarding an exploitation campaign targeting more than 20,000 DrayTek devices for credential theft and ransomware deployment.

At least three different threat actors were involved in the coordinated campaign, which was identified between August and September 2023 and involved the exploitation of a suspected zero-day bug for initial access.

One of the hacking groups, tracked as Monstrous Mantis, acted as a facilitator, identifying vulnerable devices, exploiting them for credential harvesting, and providing other attackers with access to them.

“By selectively sharing decrypted credentials with trusted partners, Monstrous Mantis maintained tight control over victim allocation and ensured operational secrecy. This strategy allowed them to profit indirectly from ransomware attacks executed by their partners while minimizing their own exposure,” according to the Forescout report.

Prodaft observed the threat actor providing instructions on how the stolen credentials can be used to create new VPN profiles, and mentioning a zero-day vulnerability that has not been verified.

Monstrous Mantis shared the stolen credentials with trusted collaborators such as Ruthless Mantis (PTI-288) and LARVA-15 (Wazawaka), which then used them to independently target hundreds of victims across Europe and elsewhere.

Advertisement. Scroll to continue reading.

Ruthless Mantis, which has been tied to the former REvil operation, appears to have successfully compromised at least 337 organizations to deploy ransomware families such as Nokoyawa and Qilin, mainly focusing on the UK and the Netherlands.

LARVA-15 exploited the credentials provided by Monstrous Mantis to target entities in Australia, France, Germany, Italy, the Netherlands, Poland, Turkey, Taiwan, and the UK. Acting as an initial access broker, the threat actor monetized the intrusions by selling the access to other hacking groups.

“Upon analyzing intercepted attacker communications, we concluded that the campaign most likely used a 0-day exploit,” Forescout added.

The company believes the vulnerability likely lies within the mainfunction.cgi web page of the browser-based administrative interface for DrayTek routers. In early November, 22 new CVE entries related to the web page were added to the National Vulnerability Database (NVD) based on an October report.

Most of these defects have the same root cause as vulnerabilities discovered years ago and impact end-of-sale DrayTek devices running firmware version 1.5.3. However, it is unclear whether firmware version 1.5.6, the latest iteration for these devices, is vulnerable.

Related: I-O Data Confirms Zero-Day Attacks on Routers, Patches Pending

Related: DrayTek Flaws in CISA KEV Catalog Exploited in Global Campaign

Related: MoustachedBouncer: Foreign Embassies in Belarus Targeted via ISPs

Related: Security Orchestration: Beware of the Hidden Financial Costs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.