Several of the UK’s prominent communication service providers (CSPs), including well-known B2B companies like Daisy Communications, Gamma Telecom, Zen Internet, and even BT, may face considerable risks due to a recently disclosed set of 14 vulnerabilities affecting DrayTek’s Vigor router devices. The vulnerabilities were unveiled on Wednesday, October 2, by ForeScout.
DrayTek released patches for all identified vulnerabilities prior to the coordinated announcement. However, ForeScout reported that more than 704,000 routers were still exposed online at the time of the disclosure. This comes in the wake of the FBI dismantling a botnet involving DrayTek devices linked to Chinese espionage just weeks earlier, raising concerns about further potential compromises.
According to ForeScout researchers Stanislav Dashevskyi and Francesco La Spina, around 75% of the affected devices are deployed in commercial environments. They emphasized the serious implications for business operations and reputation, stating, “A successful attack could result in significant downtime, customer trust erosion, and regulatory penalties, all of which are the responsibility of the CISO.”
The vulnerabilities vary in severity and impact. They include one enabling complete system compromise, two allowing reflected cross-site scripting (XSS) attacks, two enabling stored XSS attacks, six facilitating denial of service (DoS) and remote code execution (RCE), one that permits only DoS, and another allowing operating system command execution and virtual machine escape. Additionally, there is one that allows for information disclosure and man-in-the-middle attacks.
The most critical vulnerability, with a CVSS score of 10, is CVE-2024-41592, which results in DoS and RCE. This flaw lies in a function within the router’s web user interface (UI) that is susceptible to a buffer overflow when processing HTTP request data through query string parameters. When this is combined with CVE-2024-41585, the second most severe OS command execution vulnerability, it opens the door for attackers to gain remote root access, facilitate network reconnaissance, and conduct lateral movement that could lead to botnet activities or the deployment of malware or ransomware.
Furthermore, an analysis by Censys shows that a majority of the exposed DrayTek Vigor devices are located in the UK, followed by Vietnam, the Netherlands, and Taiwan. Out of the total 704,000 vulnerable devices, 421,476 have the VigorConnect admin UI accessible online. Censys stated that networks with the highest concentrations of these interfaces include a mix of major national ISPs and regional telecom providers, with Taiwan-based HINET leading the list due to DrayTek’s Taiwanese origins.
In the UK, Censys identified 35,866 vulnerable hosts at Gamma Telecom, 31,959 at BT, 21,275 at Daisy Communications, and 13,147 at Zen Internet. In continental Europe, KPN in the Netherlands has 9,921 vulnerable hosts, and Deutsche Telekom in Germany has 7,732.
Operators of the affected Vigor routers are being urged to update their firmware immediately and take precautions to limit administrative web UIs from public access, along with implementing multifactor authentication (MFA) for enhanced security. A spokesperson for BT acknowledged awareness of the vulnerability and indicated that the company is collaborating with external vendors to implement remediation measures.
Additionally, the FBI’s September 2024 operation targeted threat actors exploiting DrayTek devices, as well as products from other vendors. This operation focused on a China-based entity that served as a front for Beijing’s intelligence-gathering activities, utilizing networking hardware and IoT devices to create a Mirai botnet comprising 250,000 devices.
Integrity Technology Group, purportedly a network security services provider based in China, has been linked to actions consistent with a state-backed threat actor known as Flax Typhoon by the FBI. This advanced persistent threat (APT) group has been active since 2021, primarily targeting networks owned by Taiwanese organizations, although it has also been observed attacking entities across Southeast Asia, Africa, and North America, particularly within government bodies, educational institutions, and IT and manufacturing sectors.