Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

DrayTek Routers Exploited in Massive Ransomware Campaign: Analysis and Recommendations

Forescout Research - Vedere Labs | December 10, 2024

Summary

  • Our 2024 Dray:Break report revealed 14 new vulnerabilities in DrayTek devices
  • See our upcoming presentation at Black Hat Europe for more details
  • PRODAFT shared threat intelligence from 2023 on a ransomware campaign exploiting DrayTek devices
  • This is the first time this campaign is discussed publicly
  • Our analysis shows sophisticated attack workflows to deploy ransomware including possible:
      • Zero-day vulnerabilities
      • Credential harvesting and password cracking
      • VPN and tunneling abuse

Guidance

  • Ensure visibility into all network devices, especially at the perimeter
  • Employ credential best practices for those devices
  • Patch vulnerable perimeter devices as soon as possible
  • Segment your network to prevent the spread of breaches

Network perimeter devices have become a critical initial access target for sophisticated threat actors. Ransomware operators are increasingly exploiting vulnerabilities in routers and VPN appliances. This analysis details a coordinated campaign targeting DrayTek Vigor devices. Our findings reveal a complex ecosystem of cybercriminal collaboration and systematic network infiltration.

Forescout Research – Vedere Labs reported an incident in 2022 where ALPHV ransomware was deployed after initial access was gained through a vulnerable SonicWall SRA appliance. Building on these findings, our research has uncovered new vulnerabilities in perimeter devices, including DrayTek routers – emphasizing their potential exploitation in future ransomware campaigns.

As we prepared to present our DrayTek findings at Black Hat Europe 2024, we were approached by PRODAFT, a threat intelligence provider, with unique insights into active exploitation campaigns against DrayTek.

Between August and September 2023, PRODAFT identified a coordinated campaign targeting over 20,000 DrayTek Vigor devices worldwide. The operation exploited a suspected zero-day vulnerability, enabling attackers to infiltrate networks, steal credentials, and deploy ransomware.

Major incidents were linked to this exploitation campaign, including the Manchester Police supply-chain attack. PRODAFT partnered with multiple Computer Emergency Response Teams (CERTs) – including CISA and law enforcement agencies – to notify affected organizations and comprehensively assess the campaign’s full scope.

In this report, we disclose this activity publicly for the first time. Our focus is on the coordination among threat actors and its broader cybersecurity implications.

 

Observed Threat Actor Activity: Insights into Sophisticated Ransomware Operations Exploiting DrayTek Devices

The analyzed campaign involved three distinct threat actors – Monstrous Mantis (Ragnar Locker), Ruthless Mantis (PTI-288) and LARVA-15 (Wazawaka) – who followed a structured and efficient workflow as shown in the image below:

Each actor had defined roles and objectives.

Monstrous Mantis Exploitation

Monstrous Mantis played a central role in the campaign, acting as a facilitator rather than directly engaging in ransomware deployment. They identified and exploited the vulnerability, systematically extracting credentials, and decrypting them into plaintext.

By selectively sharing decrypted credentials with trusted partners, Monstrous Mantis maintained tight control over victim allocation and ensured operational secrecy. This strategy allowed them to profit indirectly from ransomware attacks executed by their partners while minimizing their own exposure. This highly specialized and transactional model exemplifies the increasing complexity of modern cybercriminal ecosystems, where distinct groups collaborate to maximize operational efficiency and minimize individual risk.

The image below was obtained from attacker chatter. It shows excerpts from a “manual” created by Monstrous Mantis, and shared with partner groups, detailing instructions for using the shared credentials to create new VPN profiles and establish tunnels.

PRODAFT also observed chat excerpts where the group references the vulnerability as a zero-day, explicitly instructing others not to share it. We have not been able to confirm whether the vulnerability constituted a true zero-day exploit, as numerous similar issues affect the vulnerable “mainfunction.cgi” endpoint, and we did not have comprehensive access to full exploit payloads. We discuss some of these recurring vulnerabilities in the next section.

Monstrous Mantis provided decrypted credentials to their trusted collaborators, enabling other groups, such as Ruthless Mantis (PTI-288) and LARVA-15 (Wazawaka), to infiltrate victim environments. However, Monstrous Mantis withheld the exploit itself, retaining exclusive control over the initial access phase. This calculated structure allowed them to profit indirectly, as ransomware operators who successfully monetized their intrusions were obliged to share a percentage of their proceeds.

The simultaneous campaign activities suggest that Monstrous Mantis may have supplied credentials to additional groups beyond Ruthless Mantis and LARVA-15. While their identities remain unconfirmed, this broader dissemination underscores the possibility of a more extensive network of collaborators.

Ruthless Mantis Operations

Ruthless Mantis, a highly sophisticated ransomware group with roots in the former REvil operation, used credentials provided by Monstrous Mantis to independently target victims. Focusing predominantly on organizations in the United Kingdom and the Netherlands, they successfully compromised at least 337 organizations as confirmed by PRODAFT’s attribution data. This group exhibited a systematic and methodical approach, leveraging stolen credentials to gain initial access, escalate privileges within compromised networks, and deploy ransomware strains such as Nokoyawa and Qilin. Their victim profile ranged from large enterprises to SMEs, highlighting their indiscriminate exploitation of exposed networks to maximize impact.

Simultaneous Attacks by LARVA-15

LARVA-15 conducted parallel exploitation activities using credentials provided by Monstrous Mantis, targeting a geographically diverse range of victims. Their operations extended across the United Kingdom, Netherlands, Australia, Taiwan, Italy, Poland, France, Germany, and Türkiye. Unlike Ruthless Mantis, LARVA-15 specialized in acting as an Initial Access Broker (IAB), monetizing their intrusions by selling compromised access to other threat actors.

This operational model underscores the group’s role in facilitating a wider network of attacks, further illustrating the interconnected nature of the cybercriminal ecosystem.

Which Vulnerability Was Exploited? Examining New and Recurring Issues in DrayTek Devices

The observed campaign leveraged vulnerabilities in DrayTek routers for initial access, specifically targeting the “mainfunction.cgi” web page of the WebUI. WebUI is the browser-based administrative interface used to configure DrayTek routers, and it is frequently exposed to the internet, despite the vendor’s guidance to restrict such access.

As detailed in our Dray:Break report, DrayTek’s web application has faced numerous security issues over the past four years with at least 18 vulnerabilities allowing Remote Code Execution (RCE). Several of these issues affected the same web pages, such as CVE-2020-8515, CVE-2020-14472, CVE-2020-14993, CVE-2020-15415, CVE-2020-19664, CVE-2021-42911, CVE-2021-43118, CVE-2023-1162 and CVE-2023-24229 that affect mainfunction.cgi. Of these, CVE-2020-8515 and CVE-2020-15415 are currently listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The “mainfunction.cgi” page and its associated functionality are limited to end-of-sale DrayTek models such as the Vigor300B, Vigor2960, and Vigor3900. In newer models this functionality has been removed, rendering the attack vector inapplicable to currently supported devices. Even for legacy models, vulnerabilities such as CVE-2020-8515 were patched years ago. Therefore, encountering successful exploitation attempts in 2024 came as a significant surprise.

Upon analyzing intercepted attacker communications, we concluded that the campaign most likely used a 0-day exploit. This hypothesis gained further credence shortly after our Dray:Break report, when 22 (!) new CVE entries related to “mainfunction.cgi” were published in the National Vulnerability Database (NVD). Each entry cited a GitHub-hosted report, initially uploaded on October 21, 2024, with the first NVD entries appearing on November 4. The NVD entries and the corresponding report indicated that even the firmware version patched for CVE-2020-8515 (v1.5.3) remained vulnerable to newly identified issues. Therefore, we believe the exploitation campaign observed by PRODAFT may have exploited one of these 22 previously undocumented vulnerabilities.

Most of these newly identified vulnerabilities share root causes similar to CVE-2020-8515 and align with issues we uncovered in our DrayTek research, such as CVE-2024-41592. The recurrence of such vulnerabilities within the same codebase suggests a lack of thorough root cause analysis, variant hunting and systematic code reviews by the vendor following each vulnerability disclosure. While this observation was previously speculative, the emergence of these new vulnerabilities provides additional supporting evidence.

Notably, the latest available firmware version for these end-of-sale devices is v1.5.6, available since March 2024. However, it remains unclear whether these newly documented issues will eventually be fixed.

 

Recommended Mitigation

DrayTek serves as a prime example of recurring vulnerabilities affecting the same critical – and often internet-exposed – codebase. Our previous Dray:Break report highlighted exploitation by multiple Advanced Persistent Threats (APTs). Now, in collaboration with PRODAFT, we’ve uncovered how sophisticated ransomware operators have exploited undocumented issues.

The persistence of similar vulnerabilities underscores a troubling trend: As long as these weaknesses remain unaddressed, exploitation will likely continue, not only on DrayTek devices but across other platforms as well. To counter these risks, proactive risk mitigation is essential. We recommend the following measures:

  • Ensure comprehensive visibility into network perimeter devices, including the software they run and their communication patterns.
  • Understand their risk profile with particular regard to vulnerabilities, weak configurations, internet exposure and other factors.
  • Replace default or easily guessable credentials and use strong, unique passwords for each device.
  • Patch devices promptly and consider replacing end-of-life devices that can no longer be updated.
  • Segment your network to ensure that if threat actors gain initial access via a router, they cannot immediately access every critical device on your network.

See all of the data from our Dray:Break report.

Also, watch our on-demand webinar with Elisa Costante, VP of Research.

Demo RequestForescout PlatformTop of Page