More than 800,000 DrayTek routers at risks due to a mysterious zero-day exploit
19.5.2018 securityaffairs Exploit
DrayTek routers are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some models.
Routers manufactured by the Taiwan-based vendor DrayTek are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some of its routers.
DrayTek confirmed to be aware that hackers are attempting to exploit the zero-day vulnerability to compromise its routers.
Many users reported on Twitter cyber attacks against its routers, in these cases, hackers have changed DNS settings of the routers to point to a server having the 38.134.121.95 IP address on the network of China Telecom.
It is likely attackers are conducting a Man-in-the-Middle attack to redirect users to bogus clones of legitimate sites to steal their credentials.
DrayTek published a security advisory warning of the attacks and providing instructions on how to check and correct DNS settings.
In May 2018, we became aware of new attacks against web-enabled devices, which includes DrayTek routers. The recent attacks have attempted to change DNS settings of routers. reads the security advisory.
If you have a router supporting multiple LAN subnets, check settings for each subnet. Your DNS settings should be either blank, set to the correct DNS server addresses from your ISP or DNS server addresses of a server which you have deliberately set (e.g. Google 8.8.8.8). A known rogue DNS server is 38.134.121.95 if you see that, your router has been changed.
The company is already working on a firmware updates to patch the issue.
DrayTek published a second advisory that includes the list of devices and firmware versions that it is going to release in the coming days.
Initially, the company suspected that victims of the attacks were using DrayTek routers with default credentials, but one of them clarified that its device wasnt using factory settings, a circumstance that confirms that attackers are in possession of a zero-day exploit.
Kevin Beaumont
✔
@GossiTheDog
Reports coming in DrayTek routers are being mass hacked and DNS servers changed on them (allows traffic redirection and MITM attacks). https://twitter.com/adamitec/status/997237081461133312
11:35 AM - May 18, 2018
69
89 people are talking about this
Twitter Ads info and privacy
Kevin Beaumont
✔
@GossiTheDog
18 May
Reports coming in DrayTek routers are being mass hacked and DNS servers changed on them (allows traffic redirection and MITM attacks). https://twitter.com/adamitec/status/997237081461133312
Kevin Beaumont
✔
@GossiTheDog
😢 pic.twitter.com/xMXak22JNG
11:37 AM - May 18, 2018
20
15 people are talking about this
Twitter Ads info and privacy
Kevin Beaumont
✔
@GossiTheDog
18 May
Replying to @GossiTheDog
😢 pic.twitter.com/xMXak22JNG
Kevin Beaumont
✔
@GossiTheDog
The running theme so far is remote admin (WAN mgmt) is enabled (on by default) but password had been changed. Either going to be brute force or exploit.
1:24 PM - May 18, 2018
11
See Kevin Beaumont's other Tweets
Twitter Ads info and privacy
Searching for DrayTek routers online with Shodan we can find more than 800,000 connected devices connected online, some of them could be potentially compromised with the mysterious exploit.