Massive Ransomware Campaign Targets DrayTek Routers

Forescout Research – Vedere Labs, in collaboration with PRODAFT, has unveiled a massive ransomware campaign exploiting vulnerabilities in DrayTek Vigor routers, marking a new frontier in the targeting of network perimeter devices. The findings, disclosed in their “Dray:Break” report, reveal a sophisticated ecosystem of cybercriminal collaboration leveraging suspected zero-day vulnerabilities, credential harvesting, and VPN tunneling abuse to compromise over 20,000 devices worldwide.

DrayTek Vigor routers, particularly legacy models like the Vigor300B, Vigor2960, and Vigor3900, have long been valued for their versatility and accessibility. However, these attributes have also made them a popular target for attackers. According to Forescout, “network perimeter devices have become a critical initial access target for sophisticated threat actors.” The campaign exploited vulnerabilities in the “mainfunction.cgi” endpoint of the devices’ WebUI, a recurring weak point in DrayTek’s firmware.

The campaign involved at least three distinct threat actor groups:

1. Monstrous Mantis (Ragnar Locker): This group spearheaded the operation by identifying and exploiting vulnerabilities, extracting credentials, and decrypting them into plaintext. These credentials were shared with trusted partners under strict secrecy, enabling further attacks while minimizing exposure.
2. Ruthless Mantis (PTI-288): This ransomware group used the shared credentials to deploy strains like Nokoyawa and Qilin, focusing on enterprises in the UK and the Netherlands, compromising at least 337 organizations.
3. LARVA-15 (Wazawaka): Acting as an Initial Access Broker, LARVA-15 monetized intrusions by selling compromised access to other groups. Their operations targeted a wide range of victims across Europe, Australia, and Asia.

This structured collaboration underscores the growing specialization within the cybercriminal ecosystem. “This highly specialized and transactional model exemplifies the increasing complexity of modern cybercriminal ecosystems,” the report notes.

Between August and September 2023, attackers exploited suspected zero-day vulnerabilities to infiltrate DrayTek routers, steal credentials, and deploy ransomware. Key incidents included the Manchester Police supply chain attack, emphasizing the real-world impact of these exploits. The attackers combined phishing, password cracking, and zero-day vulnerabilities in their methodical infiltration process.

PRODAFT identified that the attackers likely leveraged a series of previously undocumented vulnerabilities. Supporting this claim, 22 new CVEs related to the “mainfunction.cgi” endpoint were published in late 2024, with firmware versions patched for prior issues still remaining vulnerable.

Forescout and PRODAFT urge organizations to act swiftly to mitigate risks:

1. Enhance Visibility: Monitor network perimeter devices and their communication patterns.
2. Patch Promptly: Apply updates to address known vulnerabilities and consider replacing end-of-life devices.
3. Strengthen Credentials: Replace default or weak passwords with strong, unique ones.
4. Network Segmentation: Isolate critical devices to prevent lateral movement in case of a breach.

Related Posts:

• CISA Issues Alert: Three Actively Exploited Vulnerabilities Demand Immediate Attention
• DrayTek Router 0day Vulnerability
• DrayTek Patched Multi Flaws in Routers, Including CVE-2024-41592 (CVSS 10.0)
• CVE-2024-48074: RCE Flaw Discovered in DrayTek Vigor2960 Routers, PoC Published
• Hackers use Cisco Router flaws to attack Iran, 3,500 routers hacked