DrayTek, a Taiwan-based manufacturer of broadband CPE (Customer Premises Equipment) such as routers, switches, firewalls, and VPN devices, announced today that hackers are exploiting a zero-day vulnerability to change DNS settings on some of its routers.

The company admitted to the attacks after several users reported on Twitter about finding DrayTek routers with DNS settings changed and pointing to an unknown server located at 38.134.121.95.

Anyone out there with DrayTek CPE's want to check that the DNS resolvers on them havn't been set to 38 dot 134 dot 121 dot 95 for me? (If they have been, what device/FW version/remote management enabled/cred strength?) #infosec — Plore GrumpSec Spottycat (@kyhwana) May 18, 2018

@GossiTheDog - I can confirm this is a thing; router compromise and DNS redirect to 38.134.121.95 — ps66uk (@ps66uk) May 18, 2018

We have one hacked so far but literally have hundreds of Drayteks out there, it's a real problem that needs addressed or even acknowledged urgently by Draytek support. — Andrew Speake (@andyspeake1) May 18, 2018

Earlier today, the company issued a security advisory on its UK website with instructions on how to check and correct DNS settings. DrayTek also promised firmware updates to patch the issue exploited in the attacks.

In a second advisory issued on its international site, the company published a list of devices and firmware versions that are going to be released today and in the coming days. The full list is embedded at the end of this article.

Routers hacked via exploit, not password-guessing

Initial assessments were that DrayTek router owners were using their default passwords, allowing attackers to log into devices and change settings.

This theory turned out to be false, as some of the affected device owners clarified that they had changed the default credentials, meaning the attacks were most likely carried out using an unknown exploit.

The running theme so far is remote admin (WAN mgmt) is enabled (on by default) but password had been changed. Either going to be brute force or exploit. — Kevin Beaumont (@GossiTheDog) May 18, 2018

"2 of our draytek routers have had their DNS settings changed but the syslog show that no one signed on," the owner of a hacked DrayTek router wrote on Reddit earlier today, confirming the attacks are taking place without the attacker logging in.

Furthermore, DrayTek preparing to issue firmware patches also means the attacks are most likely being carried out via a zero-day exploit, as companies usually issue firmware patches to fix vulnerabilities in their code.

It is unclear what attackers were trying to achieve by redirecting DNS requests through an IP located on the network of China Telecom, although some suggested attackers were trying to perform a Man-in-the-Middle attack, most likely to redirect users to a fake copy of one or more legitimate sites.

The attacks also appear to have been taking place for at least two weeks, based on a Sky Community Forum post.

A simple Shodan search shows over 800,000 DrayTek devices connected online, albeit not all may be vulnerable to the unknown attacker's exploit.

Vigor120, version 3.8.8.2

Vigor122, version 3.8.8.2

Vigor130, version 3.8.8.2

VigorNIC 132, version 3.8.8.2

Vigor2120 Series, version 3.8.8.2

Vigor2132, version 3.8.8.2

Vigor2133, version 3.8.8.2

Vigor2760D, version 3.8.8.2

Vigor2762, version 3.8.8.2

Vigor2832, version 3.8.8.2

Vigor2860, version 3.8.8

Vigor2862, version 3.8.8.2

Vigor2862B, version 3.8.8.2

Vigor2912, version 3.8.8.2

Vigor2925, version 3.8.8.2

Vigor2926, version 3.8.8.2

Vigor2952, version 3.8.8.2

Vigor3220, version 3.8.8.2

VigorBX2000, version 3.8.8.2

VigorIPPBX2820, version 3.8.8.2

VigorIPPBX3510, version 3.8.8.2

Vigor2830nv2, version 3.8.8.2

Vigor2820, version 3.8.8.2

Vigor2710, version 3.8.8.2

Vigro2110, version 3.8.8.2

Vigro2830sb, version 3.8.8.2

Vigor2850, version 3.8.8.2

Vigor2920, version 3.8.8.2