Taiwanese router-maker DrayTek is working to issue an emergency security update after reports emerged that customers had been hit by a zero-day attack.
The vulnerability in question allowed hackers to change the router DNS settings, enabling them to take unsuspected users to phishing or other malicious sites.
An urgent noticed posted by the company had the following:
“We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers. In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router. The reports appear to show that DNS settings are being altered. Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible.”
DrayTek urged users in the meantime to check their DNS settings and correct them if altered or restore them from a config back-up.
“We also recommend only using secured (TLS1.2) connections for web admin (for local and remote admin) and disable remote admin unless needed, or until firmware is updated,” it added.
The affected models are: Vigor2120; 2133; 2760D; 2762; 2832; 2860; 2862; 2862B; 2912; 2925; 2926; 2952; 3200; 3220; BX2000; 2830nv2; 2830; 2850; and 2920.
There are thought to be in the region of 800,000 DrayTek routers in the wild globally, although it’s not known how many are vulnerable to the bug.
Nominet researcher Sion Lloyd argued that because DNS is the underlying protocol that directs internet traffic, it is overlooked by admins and therefore seen as a prime target by hackers.
"In order to mitigate or prevent attacks prior to patching hardware, security teams should pay heed to their threat intel feeds, which will include blacklisted domains/IP addresses, and make sure this data is applied in a timely manner,” he added. “Blocking known bad identifiers is a game of cat and mouse, but it is an effective way of severing connections to servers which are out to abuse your users. Also monitoring for changes to configuration files or DNS traffic being sent to new or unexpected servers would give an alert that something might require remediation."