Forescout DRAY:BREAK report uncovers critical vulnerabilities in DrayTek routers that raise security concerns

Cybersecurity provider Forescout Technologies has unveiled its research report “DRAY:BREAK,” which uncovers 14 vulnerabilities in Taiwanese network equipment maker DrayTek's widely used routers, affecting hundreds of thousands of devices worldwide. The report highlights potential threats including espionage, data exfiltration, lateral movement and the use of the routers as command and control servers. Aside from Forescout's research, DrayTek routers were recently reported in an FBI operation and CISA added DrayTek vulnerabilities to the list of known exploited vulnerabilities (KEV).

The researchers revealed that if left unaddressed, attackers could gain complete control of these devices, opening the door to ransomware, denials of service and other attacks. As routers become increasingly targeted, this study highlights the need for immediate action, including patching and disabling unnecessary remote access, to protect network devices from increasing cyber threats.

Among the 14 vulnerabilities Forescout discovered in its DRAY:BREAK report, one was rated at the highest possible severity with a CVSS score of 10, while another was rated 1. These high-risk vulnerabilities could allow attackers to remotely execute code and carry out operating system command injection attacks.

According to Forescout, while the situation is concerning, it represents an improvement over what we have seen with OT routers vulnerable to Sierra:21. “In this case, less than 10% of the exposed devices were patched against previous issues and 90% were EoL or EoS models.”

It is estimated that there are currently over 704,000 DrayTek routers connected to the Internet worldwide. Of these, more than 425,000 are in the UK and EU and over 190,000 in Asia. A detailed regional breakdown of this risk can be found in the Forescout report. The majority of routers are intended for business use – 75 percent are used commercially. Nearly 40 percent of DrayTek routers are still vulnerable to similar issues identified two years ago and included in the CISA KEV catalog.

The DRAY:BREAK report also found that legacy equipment is at risk. The vulnerabilities found affect 24 DrayTek router models, 11 of which are end-of-life (EoL). Over two-thirds (63 percent) of exposed devices are either End-of-Sale (EoS) or EoL, making them more difficult to patch and protect.

“Routers are critical to keeping internal systems connected to the outside world, but too many companies overlook their security until they are exploited by attackers,” Barry Mainz, CEO of Forescout, said in a media statement. “Cybercriminals are working around the clock to find gaps in router defenses and use them as gateways to steal data or disrupt business operations. Forescout’s DrayTek study is just the latest example showing that routers continue to be the riskiest device category of all assets.”

“To protect against these vulnerabilities, companies must immediately patch affected DrayTek devices with the latest firmware. “Disabling unnecessary remote access, implementing access control lists and two-factor authentication, and monitoring for anomalies through syslog logging are all critical steps,” said Daniel dos Santos, head of security research at Forescout Research – Vedere Labs. “Network segmentation is also important to mitigate potential breaches, and outdated devices should be replaced.”

In its DRAY:BREAK report, Forescout said that the DrayTek devices are used by residential customers of Internet Service Providers (ISPs) and by companies of various sizes, and these products are often analyzed by security researchers and targeted by threat actors due to their popularity. According to the National Vulnerability Database (NVD), the first reported vulnerability for DrayTek routers occurred in 2013. Over the past four years, there has been a significant increase in critical vulnerabilities in these products, with at least 18 issues allowing remote execution of code or commands (RCE).

Forescout found that there is significant interest among attackers in exploiting these vulnerabilities. “During 2022-2023, some retired DrayTek Vigor routers were attacked by the Chinese malware HiatusRAT. Another report noted that the ultimate goal was an intelligence investigation against the U.S. Department of Defense. Around the same time, DrayTek devices were highlighted as targets of a threat actor called Volt Typhoon.”

Last year, Forescout researchers observed frequent attack attempts against DrayTek routers in its Adversary Engagement Environment (AEE). This included PPTP connection attempts, login attempts with the 'draytek; Username and exploits of CVE-2020-8515. “Given the widespread use, common vulnerabilities and attacker interest, we decided to further investigate DrayTek devices to uncover new vulnerabilities,” they added.

The researchers found that many DrayTek devices run DrayOS, which is described as “a proprietary closed operating system with no backdoor that provides the layer of security the corporate network needs.” DrayOS either runs on bare metal or is emulated by a host Linux operating system on various routers. Firmware with DrayOS can be downloaded online for free, but the files are packaged and encrypted.

“Building on the research of Philippe Laulheret and CataLpa, we were able to decrypt and emulate the latest firmware for DrayTek Vigor3910 (v4.3.2.6),” the researchers said. “The primary file we analyzed was sohod64.bin, a monolithic kernel image of DrayOS that the 391x series devices (and others) run via QEMU on their Linux host operating system. We discovered that the 'sohod64[dot]bin' binary is fairly “flat” and includes all the functionality of the device accessible to the user. No binary hardening mechanisms such as Stack Canaries, ASLR or PIE are used. This may be due to the use of a real-time operating system that requires deterministic memory access.”

Additionally, Forescout reported that the heap and stack can contain executable code, making buffer overflows easy to exploit in this firmware. “In previous investigations, we thoroughly searched for vulnerabilities in a selected device or its components. This time we targeted the shortest path to a new remote code execution exploit that doesn't rely on user interaction. We focused on the web user interface, which is used to manage and configure DrayTek devices via a web browser. This component is frequently exposed to the Internet, has been found vulnerable on multiple occasions recently, and probably has the largest attack surface.”

The research report found that about 785,000 DrayTek devices are running Wi-Fi networks in the wild. According to the provider, the DrayTek Vigor web interface should only be accessible over a local network for security reasons. However, Forescout found over 704,000 DrayTek routers whose UI (user interface) is exposed to the Internet.

“According to search engine Shodan, a significant proportion of these devices (38%) are also vulnerable to similar issues discovered two years ago,” Forescout reported. “DrayTek routers were found in 168 countries, with the UK alone accounting for 36% of these, followed by Vietnam at 17% and the Netherlands at 9%.” The proliferation of devices in these countries appears to be linked to the use of DrayTek routers by popular ISPs to hang together. These online routers run 686 unique firmware versions and “variants.”

It added that the most popular version (3.8.9.2) was released over six years ago in May 2018. “There are 11 variants online with names like 'BT', 'TW', 'STD' etc. Overall.”, these 11 flavors account for 8.5% of all routers. The latest version found online (56 branches and variants of version 4.4.5.X) covers less than 3% of all devices.”

Even more worrying, Shodan identified 27 router models online – 13 of which are end-of-sales (EoS) or end-of-life (EoL) models, while 63 percent of the disclosed routers are either EoS or EoL models are.

Organizations were asked to identify DrayTek routers on the network and the firmware version they are running, ensure the latest firmware updates are applied to patch and resolve vulnerabilities, and identify end-of-life (EOL) routers and consider replacing these routers. Additionally, they must consider disabling remote access features when not needed to reduce exposure and mitigate risk by enabling access control lists, multi-factor authentication, and syslog logging.

Last month, Forescout revealed that operational technology (OT) and IoT cellular routers, as well as others used in small offices and homes, have outdated software components linked to existing (n-day) vulnerabilities. The Forescout Finite State report analyzed five firmware images from OT/IoT router vendors, including Acksys, Digi, MDEX, Teltonika and Unitronics, as well as the state of the software supply chain in OT/IoT routers used for the connection It is crucial to connect devices to the Internet across different environments.

Anna Ribeiro

Industrial Cyber ​​News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in security, data storage, virtualization and IoT.