Month: May 2018

DrayTek Routers suffering a zero-day attack in the wild!

DrayTek Routers suffering a zero-day attack in the wild!

DrayTek is a manufacturer of broadband CPE (Customer Premises Equipment), including firewalls, VPN devices, routers and wireless LAN devices. On Friday it was announced that hackers have been exploiting a zero-day vulnerability to change the DNS settings on some Draytek routers. Initially, several users started reporting finding their DNS servers settings had been changed to an unknown server with the address of 38.134.121.95 and the secondary set as googles 8.8.8.8 server.

After users were chasing Draytek for a response the company eventually responded.

Draytek issued a security advisory on it’s UK site and another advisory on its international site. The initial advisory covers checking your routers settings to see if you are affected and the advisory on the international site covers all affected devices with promises that firmware to resolve the vulnerability is either already available or will be available imminently; of which┬áthe ;list below covers the affected devices and the firmware version required to resolve the zero-day:

Vigor120, version 3.8.8.2

Vigor122, version 3.8.8.2

Vigor130, version 3.8.8.2

VigorNIC 132, version 3.8.8.2

Vigor2120 Series, version 3.8.8.2

Vigor2132, version 3.8.8.2

Vigor2133, version 3.8.8.2

Vigor2760D, version 3.8.8.2

Vigor2762, version 3.8.8.2

Vigor2832, version 3.8.8.2

Vigor2860, version 3.8.8

Vigor2862, version 3.8.8.2

Vigor2862B, version 3.8.8.2

Vigor2912, version 3.8.8.2

Vigor2925, version 3.8.8.2

Vigor2926, version 3.8.8.2

Vigor2952, version 3.8.8.2

Vigor3220, version 3.8.8.2

VigorBX2000, version 3.8.8.2

VigorIPPBX2820, version 3.8.8.2

VigorIPPBX3510, version 3.8.8.2

Vigor2830nv2, version 3.8.8.2

Vigor2820, version 3.8.8.2

Vigor2710, version 3.8.8.2

Vigro2110, version 3.8.8.2

Vigro2830sb, version 3.8.8.2

Vigor2850, version 3.8.8.2

Vigor2920, version 3.8.8.2

Initially many were speculating that this would be due to users using default credentials however via collaboration from the tech community it has been verified that some of the affected devices were not using default credentials and even that when the DNS settings were changed no entries in the syslog revealed via what method or account, leading to speculation that this is an issue with the DrayTek code and confirming why this can only be resolved via upgrading the firmware.

Using the internet search tool “Shodan” I can see that there┬áare currently 802,389 DrayTek devices openly available on the internet (some of these may already be patched), my point in using this figure is that even though this is a Taiwanese┬ácompany most of these devices that are publicly available are located in the United Kingdom and the Netherlands.

 

So why would a hacker want to change your DNS server?

By changing your DNS provider to a server controlled by a hacker they can then redirect you to a clone of the website you intended to go to but instead one controlled by them, for example, the Office 365 login screen. Once there when you enter your login details they can then capture that data and redirect you to the legitimate site so you wouldn’t even necessarily realise it had happened, but by that point, it would be too late and they would already have your details. As such this serves as a crucial reminder to use two-factor authentication (2FA) where possible so that even if a hacker obtained your credentials they wouldn’t be able to log in.