Executive Summary

An ongoing hacking campaign known as “Hiatus” is targeting DrayTek Vigour router models 2960 and 3900 to monitor and steal data from businesses.

What’s the risk to my business?

If exploited successfully, the attacker is able to remotely execute commands on the router, and monitor and control traffic that passes through the router including file-transfer and email communications.

Technical Summary:

Research by Black Lotus Labs has found the campaign involves following:

• A Bash script to deploy two executables to the targetdevice, post-exploitation. These are:

  • HIATUS Remote Access Trojan

  • A variant of ‘tcpdump’ that enables packet capture

Once this script has been executed the ‘HiatusRAT’ and ‘tcpdump’ variant are downloaded to a directory created by the script located at ‘/database/.updata’ and are then executed. The malware will listen on TCP port 8816 and if this port is already in use, the process on that port is terminated  so that the malware can use it instead. Once the malware has been sucessfully enabled on this port, a second process collects information about the victim device and sends it to a Command and Control (C2) server operated by the attacker (104.250.58.192); an additional C2 server (46.8.113.227) is also used by the attacker to receive information captured by the packet-capture tool . The packet capture tool observes ports associated with mail server and FTP connections, this include TCP ports 21, 25, 110, 143.

What can I do?

It is not currently known how the DrayTek routers have been initially compromised and Draytek have not yet released a security update to resolve any associated known vulnerability. The following actions can be taken to help mitigate and identify if a device has been impacted:

• Prevent outbound network traffic on TCP port 8816, to disable the malware’s outbound communication.

• Block network traffic to or from the following IP addresses: 104.250.58.192 and 46.8.113.227

• Check the following location on vulnerable devices for any files in that location, as this would be an indicator of compromise (IoC): ‘database’ and ‘/database/.updata’

• Configure continuous security monitoring to detect anomalous activity that may be indicative of a compromise.

Further indicators of compromise can be found here: https://github.com/blacklotuslabs/IOCs/blob/main/Hiatus_IoCs.txt

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

A link to the report from Black Lotus Labs can be found here: https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/?utm_source=press+release&utm_medium=referral

Executive Summary

Trellix Threat Labs Vulnerability research team discovered an unauthenticated remote code execution vulnerability which affects multiple DrayTek routers, which have their management interface configured to be accessible directly via the internet. This attack can also be performed by a malicious actor who has access within the local network, which is the default configuration for these devices.

What’s the risk to me or my business?

This is a one-click attack that can be performed without any user interaction, and can lead to the full compromise of the device. As these devices are on the network perimeter, compromise of these devices can lead to further breaches of other networked systems and data.

What can I do?

The vendor has released patches for this issue on their website, which should be applied out of band due to the severity of this issue. To mitigate this issue externally, management interfaces should never be configured to be directly accessible via the internet interface, however even with this mitigation it is important that the patch is applied promptly due to the threat of further compromise from an attacker with local network access.

Technical Summary

The following is a breakdown of the vulnerability with the affected DrayTek products.

CVE-2022-32548: This vulnerability has been given a CVSS 3.0 rating of 10.0, the attack works by compromising a buffer overflow vulnerability within the login page, which allows an attacker to provide a carefully crafted username and/or password which could allow an attacker to take control of the “DrayOS” which runs on the routers. Affected models with affected firmware versions include:

• Vigor3910 < 4.3.1.1

• Vigor1000B < 4.3.1.1

• Vigor2962 Series < 4.3.1.1

• Vigor2927 Series < 4.4.0

• Vigor2927 LTE Series < 4.4.0

• Vigor2915 Series < 4.3.3.2

• Vigor2952 / 2952P < 3.9.7.2

• Vigor3220 Series < 3.9.7.2

• Vigor2926 Series < 3.9.8.1

• Vigor2926 LTE Series < 3.9.8.1

• Vigor2862 Series < 3.9.8.1

• Vigor2862 LTE Series < 3.9.8.1

• Vigor2620 LTE Series < 3.9.8.1

• VigorLTE 200n < 3.9.8.1

• Vigor2133 Series < 3.9.6.4

• Vigor2762 Series < 3.9.6.4

• Vigor167 < 5.1.1

• Vigor130 < 3.8.5

• VigorNIC 132 < 3.8.5

• Vigor165 < 4.2.4

• Vigor166 < 4.2.4

• Vigor2135 Series < 4.4.2

• Vigor2765 Series < 4.4.2

• Vigor2766 Series < 4.4.2

• Vigor2832 < 3.9.6

• Vigor2865 Series < 4.4.0

• Vigor2865 LTE Series < 4.4.0

• Vigor2866 Series < 4.4.0

• Vigor2866 LTE Series < 4.4.0

Further technical information on the vulnerability can be found here: Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers (trellix.com)

Patches are available from the vendors website here: Latest Firmwares | DrayTek

Need help understanding your gaps, or just want some advice? Get in touch with us.