DrayTek router zero-day vulnerability
Target: DrayTek routers and servers
Attack Vector: DNS hijacking
Summary: DrayTek the Taiwanese manufacturer of customer premises equipment such as routers and servers has acknowledged a zero-day vulnerability being present in many of its core router products. Over the weekend a number of users took to social media sites to report problems with their DNS settings, stating that they had seen an unknown IP address inserted into their settings 126.96.36.199, this was proven to be hosted by China Telecom. DrayTek has now confirmed in a press release that this is a new vulnerability targeting home routers and that they have issued a firmware patch in response to this incident. The attack is currently actively being exploited at the present time on unpatched devices, and further attacks and development of this vulnerability are a possibility.
Risk assessment summary: The threat is assessed as 3c MODERATE. This vulnerability is a significant threat to users, which is likely to be exploited further by actors, on any unpatched devices. DrayTek deployed a firmware patch on the 18th May 2018, however, many devices will remain unpatched, as the firmware update requires a manual installation. Therefore the risk of further attacks by this vector remains a significant risk factor, as there are over 800,000 DrayTek devices connected to the internet, but it is unknown if this vulnerability affects all of these devices at the present time. According to a Shodan search based on the number of DrayTek devices by country, the UK has 264,387, Netherlands 148,804, Vietnam 73,786, Taiwan 51,588 and Germany 31,078.
This vulnerability allows the actor to change DNS settings and allow Man in the Middle attacks or to recruit the device into a botnet. The DNS setting could also direct traffic to a phishing website, which would then deliver a malicious payload to the target machine behind the router. The threat is further heightened by the technical alert issued in relation to APT activities around routers and networks on the 16th April 2018 in relation to another home router supplier MikroTik. The report stated that adversaries were seeking to gain access to routers and networks to leverage weak protocols and service ports associated with network administration activities to gain either intermittent or persistent access to devices.