DrayTek routers are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some models.

Routers manufactured by the Taiwan-based vendor DrayTek are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some of its routers.

DrayTek confirmed to be aware that hackers are attempting to exploit the zero-day vulnerability to compromise its routers.

Many users reported on Twitter cyber attacks against its routers, in these cases, hackers have changed DNS settings of the routers to point to a server having the 38.134.121.95 IP address on the network of China Telecom.

It is likely attackers are conducting a Man-in-the-Middle attack to redirect users to bogus clones of legitimate sites to steal their credentials.

DrayTek published a security advisory warning of the attacks and providing instructions on how to check and correct DNS settings.

“In May 2018, we became aware of new attacks against web-enabled devices, which includes DrayTek routers. The recent attacks have attempted to change DNS settings of routers.” reads the security advisory.

” If you have a router supporting multiple LAN subnets, check settings for each subnet. Your DNS settings should be either blank, set to the correct DNS server addresses from your ISP or DNS server addresses of a server which you have deliberately set (e.g. Google 8.8.8.8). A known rogue DNS server is 38.134.121.95 – if you see that, your router has been changed. “

The company is already working on a firmware updates to patch the issue.

DrayTek published a second advisory that includes the list of devices and firmware versions that it is going to release in the coming days.

Initially, the company suspected that victims of the attacks were using DrayTek routers with default credentials, but one of them clarified that its device wasn’t using factory settings, a circumstance that confirms that attackers are in possession of a zero-day exploit.

Reports coming in DrayTek routers are being mass hacked and DNS servers changed on them (allows traffic redirection and MITM attacks). https://t.co/sfos4B1nVV — Kevin Beaumont (@GossiTheDog) May 18, 2018

The running theme so far is remote admin (WAN mgmt) is enabled (on by default) but password had been changed. Either going to be brute force or exploit. — Kevin Beaumont (@GossiTheDog) May 18, 2018

Searching for DrayTek routers online with Shodan we can find more than 800,000 connected devices connected online, some of them could be potentially compromised with the mysterious exploit.

Pierluigi Paganini

(Security Affairs – DrayTek routers, hacking)

Share this...

Linkedin Reddit Pinterest

Share On