Dray:Break

Breaking Into DrayTek Routers Before Threat Actors Do It Again

In 2024, routers are a primary target for cybercriminals and state-sponsored attackers – and are the riskiest device category on networks. With this knowledge, we investigated one hardware vendor, DrayTek, with a history of security flaws to help it address its issues and prevent new attacks — especially when the risk of ransomware and denial of service attacks are so high today.

Learn what makes them vulnerable, the threat impact – and how to mitigate, today.

 

Watch Webinar Get The Report

 

14

New Vulnerabilities

704K+

Exposed Online

168

Countries

75%

in Commercial Networks

Explore DrayBreak Research with Vedere Labs

Join Elisa Costante, Vice President of Research, for a riveting discussion on the specific details of our findings and our responsible vulnerability disclosure. This webinar will discuss possible attack scenarios and their impact – including opportunities for remote network control, ransomware, DDoS, and other highly disruptive and costly cybersecurity events. Given the latest news of the FBI taking down a botnet using DrayTek products, you aren’t going to want to miss this one.

Watch Now

Where Are the Most Exposed Routers?

Read Blog
Access The Report

Attack Scenarios

See the potential attack scenarios involving a vulnerable device configured to expose the Web UI over the WAN (internet). The impact? A rootkit that survives reboots and firmware updates. Network traffic is intercepted to harvest credentials and sensitive data. The ability to pivot to devices on the local network for ransomware attacks or DoS.

Watch the Webinar

Status of Routers: End of Life / End of Sale

Of the 704,000+ routers exposed to the internet, the majority (63%) are either End of Life (EoL) or End of Sale (EoS). What’s more, 24 device models are affected by the new vulnerabilities, including 11 that are EoL. This is troublesome given many manufacturers stop security patches and updates at this stage of the product lifecycle.

Support Status for Exposed Routers

Intended Use of Exposed Routers

Dive Into the Research

Stay on top of this vendor’s vulnerabilities, so you can know where to focus your cybersecurity and defenses. Get all the data and analysis including:
 
  • A technical deep dive on proof of concept attacks
  • Understand the risk of ransomware, denial of service and data exfiltration
  • Why we chose to investigate DrayTek
  • How it was recently part of an FBI botnet takedown
Read Report

FAQ: Dray:Break – DrayTek Routers Vulnerability Research Disclosure

What is DrayBreak?

DrayBreak is a collection of 14 newly discovered vulnerabilities in popular residential and enterprise routers manufactured by DrayTek disclosed by Forescout Research – Vedere Labs. These vulnerabilities are significant because threat actors, including cybercriminals and state-sponsored groups, often target network infrastructure devices, such as routers, for initial access and persistence. Identifying and fixing these issues helps prevent exploitation as zero-day vulnerabilities.

Where are DrayTek routers used?

Over 704,000 vulnerable DrayTek routers are exposed online across 168 countries. The UK accounts for 36% of these routers, followed by Vietnam with 17% and the Netherlands with 9%. Although many of the vulnerable devices are small residential routers, 75% are intended for business use. These affected devices are found in multiple sectors, including healthcare, retail, manufacturing, financial services, and government.

What is the impact of the vulnerabilities?

Of the 14 vulnerabilities, one has the highest severity score of 10, and another is rated at 9.1. Nine vulnerabilities have medium scores and three have low scores. These vulnerabilities may allow attackers to take control of a router by injecting malicious code, maintain persistence on the device and use it as an entry point into enterprise networks.

What can organizations do to mitigate the risk from these vulnerabilities?

Complete protection requires patching devices with the affected software. DrayTek has released firmware patches for all affected devices, as outlined in the table below:

Device Model Fixed versions EoL?
Vigor1000B, Vigor2962, Vigor3910 4.3.2.8 and 4.4.3.1 No
Vigor3912 4.3.6.1 No
Vigor165, Vigor166 4.2.7 No
Vigor2135, Vigor2763, Vigor2765, Vigor2766 4.4.5.1 No
Vigor2865, Vigor2866, Vigor2915 4.4.5.3 No
Vigor2620, VigorLTE200 3.9.8.9 Yes
Vigor2133, Vigor2762, Vigor2832 3.9.9 Yes
Vigor2860, Vigor2925 3.9.8 Yes
Vigor2862, Vigor2926 3.9.9.5 Yes
Vigor2952, Vigor3220 3.9.8.2 Yes

In addition to patching, DrayTek has recommended the following actions for previous similar vulnerabilities:

  • If remote access is enabled on your router, disable it if not needed. Use an access control list (ACL) and two-factor authentication (2FA) if possible.
  • Verify that no additional remote access profiles (VPN dial-in, teleworker or LAN to LAN) or admin users (for router admin) have been added and that no ACLs have been altered.
  • Disable remote access (admin) and SSL VPN. Since the ACL does not apply to SSL VPN connections (Port 443), temporarily disable SSL VPN until the firmware is updated.
  • Always back up your configuration before performing an upgrade.
  • After upgrading, confirm that the web interface displays the new firmware version.
  • Enable syslog logging to monitor for abnormal events.
  • Always use secure protocols such as HTTPS for internet activity.
  • Follow additional network security tips on DrayTek’s Knowledge Base

Where do I go for more information?

For more information on the vulnerabilities and mitigation strategies, please refer to our blog.

Strategic Recommendations:
How Forescout Can Help

  • Risk and exposure management: Identify, quantify and prioritize cybersecurity risk. Start by discovering and assessing every connected asset to gain real-time awareness of your attack surface.
  • Network security: Continuously monitor all connected assets to govern network access, using real-time traffic visibility to manage segmentation and dynamic control policies to mitigate and remediate risk.
  • Threat detection and response: Detect, investigate and respond to true threats and incidents using threat detection and response capabilities to collect telemetry and logs, correlate attack signals, generate high-fidelity detections and enable automated responses.
Schedule a Demo
Demo RequestForescout PlatformTop of Page