The Taiwanese manufacturer of network equipment, DrayTek warns on its website for hacking attempts where the DNS settings of DrayTek routers are changed due to an unknown vulnerability. Once the DNS is changed, attackers can intercept traffic and automatically redirect victims to malicious websites. More than 700,000 devices are potentially affected.
DrayTek states it found out about the attacks this month. The attacks are only against web-enabled devices and the attacks appear to work even if the remote access functionality of the router is disabled. Although DrayTek states it won't provide further details, the attack is likely similar to similar attacks against routers of other vendors. Similar to other attacks, the attackers are very likely able to change the DNS settings through a so-called CSRF attack. This means the attackers change the settings without entering the control panel.
Even worse, it's likely that the victims themselves are injecting the rogue code of the attackers. Compromised websites and/or infected advertisements might contain code that forces the victim's browser to execute malicious code on a different website, in this case that different website is the control panel of the victim's router. The malicious code takes care of changing the DNS settings. Normally this shouldn't happen and the cause is usually bad security practices, bad programming or a bug.
The DNS is changed to a DNS server under control of the attackers. That gives them pretty much full control over the user's internet connection. They can e.g. log which websites the victim visits, redirect victims to fake banking websites, hijack search queries and inject advertisements on websites.
While DrayTek is working on a firmware update, the company recommends users to check the DNS and DHCP settings of their router, disable remote access at least until a patch is available, make sure the connection to your router is encrypted (address starts with HTTPS://) and to report anything suspicious to the company. If the DNS and DHCP settings have been changed by the attackers, DrayTek advises to restore a backup or to check and correct the settings. DrayTek also advises to check that no other admin users have been added and recommends to read their CSRF explanation page.
The majority of the affected devices will likely be from DrayTek's Vigor series which consists of mainly routers and/or DSL modems. Device tracking service Shodan reports there are about 790,000 DrayTek Vigor devices connected to the internet of which about 260,000 are in the United Kingdom and about 140,000 are in the Netherlands. Other countries where DrayTek Vigor products are widely in use are Vietnam, Germany and Taiwan.
Because DrayTek has not released a patch for the issue and because it's already exploited in the wild, the attacks are now regarded as so-called zero day attacks.
