Month: May 2018

DrayTek Routers suffering a zero-day attack in the wild!

DrayTek Routers suffering a zero-day attack in the wild!

DrayTek is a manufacturer of broadband CPE (Customer Premises Equipment), including firewalls, VPN devices, routers and wireless LAN devices. On Friday it was announced that hackers have been exploiting a zero-day vulnerability to change the DNS settings on some Draytek routers. Initially, several users started reporting finding their DNS servers settings had been changed to an unknown server with the address of and the secondary set as googles server.

After users were chasing Draytek for a response the company eventually responded.

Draytek issued a security advisory on it’s UK site and another advisory on its international site. The initial advisory covers checking your routers settings to see if you are affected and the advisory on the international site covers all affected devices with promises that firmware to resolve the vulnerability is either already available or will be available imminently; of which┬áthe ;list below covers the affected devices and the firmware version required to resolve the zero-day:

Vigor120, version

Vigor122, version

Vigor130, version

VigorNIC 132, version

Vigor2120 Series, version

Vigor2132, version

Vigor2133, version

Vigor2760D, version

Vigor2762, version

Vigor2832, version

Vigor2860, version 3.8.8

Vigor2862, version

Vigor2862B, version

Vigor2912, version

Vigor2925, version

Vigor2926, version

Vigor2952, version

Vigor3220, version

VigorBX2000, version

VigorIPPBX2820, version

VigorIPPBX3510, version

Vigor2830nv2, version

Vigor2820, version

Vigor2710, version

Vigro2110, version

Vigro2830sb, version

Vigor2850, version

Vigor2920, version

Initially many were speculating that this would be due to users using default credentials however via collaboration from the tech community it has been verified that some of the affected devices were not using default credentials and even that when the DNS settings were changed no entries in the syslog revealed via what method or account, leading to speculation that this is an issue with the DrayTek code and confirming why this can only be resolved via upgrading the firmware.

Using the internet search tool “Shodan” I can see that there┬áare currently 802,389 DrayTek devices openly available on the internet (some of these may already be patched), my point in using this figure is that even though this is a Taiwanese┬ácompany most of these devices that are publicly available are located in the United Kingdom and the Netherlands.


So why would a hacker want to change your DNS server?

By changing your DNS provider to a server controlled by a hacker they can then redirect you to a clone of the website you intended to go to but instead one controlled by them, for example, the Office 365 login screen. Once there when you enter your login details they can then capture that data and redirect you to the legitimate site so you wouldn’t even necessarily realise it had happened, but by that point, it would be too late and they would already have your details. As such this serves as a crucial reminder to use two-factor authentication (2FA) where possible so that even if a hacker obtained your credentials they wouldn’t be able to log in.