In February 2016, US$951 million was siphoned off the Bangladesh Bank by way of an unprotected router. You could be next warns a new report.
The "DRAY:BREAK" Research Report by Forescout Technologies, reveals 14 previously unknown vulnerabilities in DrayTek routers, including one with a critical severity rating of 10. These vulnerabilities could allow attackers to take full control of the devices, leading to potential ransomware attacks, data exfiltration, and denial-of-service incidents. The widespread use of DrayTek routers across various industries makes them prime targets for cybercriminals.
"Routers are crucial for keeping internal systems connected to the outside world yet too many organizations overlook their security until they are exploited by attackers,” stated Barry Mainz, CEO of Forescout. He emphasised that cybercriminals actively seek weaknesses in router defences, using them to infiltrate networks and steal sensitive information.
The report highlights that over 704,000 DrayTek routers are currently exposed to the internet, with a significant number located in the UK, EU, and Asia. Nearly 40% of these routers remain vulnerable to issues identified two years ago and listed by the Cybersecurity and Infrastructure Security Agency (CISA). Additionally, the vulnerabilities impact 24 router models, with 11 categorized as end-of-life (EoL), complicating efforts to patch them.
Forescout's findings also detail potential attack scenarios. Vulnerabilities in DrayTek routers could allow attackers to deploy persistent rootkits, intercept network traffic, and move laterally within a network. High-performance models, like the Vigor3910, could be repurposed as command-and-control servers, facilitating further attacks.
In response to the findings, DrayTek has patched all identified firmware vulnerabilities. However, organisations are urged to take additional mitigation steps. "To safeguard against these vulnerabilities, organizations must immediately patch affected DrayTek devices with the latest firmware," advised Daniel dos Santos, Head of Security Research at Forescout. He recommended disabling unnecessary remote access, implementing access control measures, and monitoring network activity to enhance security.
Recommended actions
- Identify DrayTek routers on your network and the firmware version they run
- Patch: ensure you have applied the latest firmware updates to mitigate vulnerabilities
- Identify End-of-Life (EOL) routers and consider replacing them
- Disable Remote Access: consider disabling remote access capabilities when they are not required, to reduce exposure
- Mitigate Risks: Enable access control lists, multi-factor authentication, and syslog logging