Forescout discovers security flaws in DrayTek routers

Forescout Technologies has released a report identifying 14 security vulnerabilities in DrayTek routers.

These vulnerabilities, outlined in the 'DRAY:BREAK' research report, have significant implications for cybersecurity, highlighting risks that could lead to various malicious activities such as espionage, data exfiltration, lateral movement, and potentially turning the routers into command-and-control servers. The routers in question have a significant presence worldwide, including 31,365 units in Australia and 5,132 in New Zealand, predominantly used for business purposes.

The report underlines a growing concern noted by the Australian Signals Directorate's annual findings about the increase in breaches involving routers. This disclosure emphasizes the urgent need to bolster security measures, particularly in critical industries, to safeguard against potential threats.

Barry Mainz, Chief Executive Officer of Forescout, commented on the situation: "Routers are crucial for keeping internal systems connected to the outside world yet too many organisations overlook their security until they are exploited by attackers. Cybercriminals work around the clock to find cracks in routers' defences, using them as entry points to steal data or cripple business operations. Forescout's DrayTek research is just the latest example to show how routers continue to be the riskiest device category across all assets."

From a global perspective, the exposure of DrayTek routers is considerable. Forescout's study found that over 704,000 DrayTek routers are exposed to the internet, with over 425,000 situated in the UK and EU and more than 190,000 in Asia. The research indicated that about 40% of these routers remain vulnerable to issues that were first identified two years ago and are listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring persistent security gaps.

The vulnerabilities impact 24 DrayTek router models, of which 11 are end-of-life devices, making it challenging to apply necessary patches. Altogether, 63% of the exposed devices are either end-of-sale or end-of-life, suggesting that companies face additional obstacles in maintaining these routers' defenses against cyber threats.

Potential attack scenarios described in the report include deploying a persistent rootkit to monitor and analyse network traffic, which could lead to the interception of sensitive data such as login credentials and confidential information. Furthermore, the vulnerabilities may allow attackers to move laterally within a network, posing risks of ransomware or denial-of-service attacks, or converting the routers into botnets. Particularly powerful routers, such as the DrayTek Vigor3910, might be exploited as command-and-control servers.

DrayTek has responded by patching all firmware vulnerabilities identified through Forescout's research. However, organisations are advised to implement further mitigation strategies.

Daniel dos Santos, Head of Security Research at Forescout Research – Vedere Labs, emphasised the importance of these measures: "To safeguard against these vulnerabilities, organisations must immediately patch affected DrayTek devices with the latest firmware. Disabling unnecessary remote access, implementing Access Control Lists and two-factor authentication, and monitoring for anomalies through syslog logging are all crucial steps. Network segmentation is also essential to contain any potential breaches, and outdated devices should be replaced."

The report provides detailed insights into the vulnerabilities and potential protective measures required. This information is part of Forescout's efforts to enhance awareness and establish stronger security protocols across networks globally.