Business-grade routers compromised in low-key attack campaign

2023-03-06 15:59

An unknown threat actor has discreetly compromised business-grade DrayTek routers in Europe, Latin and North America, equipping them with a remote access trojan and a packet capturing program.

"The impacted models are high-bandwidth routers that can support VPN connections for hundreds of remote workers and offer ideal capacity for the average, medium-sized business. We suspect the actor infects targets of interest for data collection, and targets of opportunity for the purpose of establishing a covert proxy network," Lumen researchers have posited.

The researchers haven't been able to pinpoint how the threat actor compromised the devices, but they know what happens next: a deployed bash script retrieves the HiatusRAT and a tcpdump variant.

According to Lumen's telemetry, the campaign has resulted in the successful compromise of around 100 routers.

The compromised routers likely belong to medium-size businesses that use them as the gateway to their corporate network or smaller organizations of interest within ISP customer ranges.

The campaign has been very low-key and organizations may have trouble spotting a compromised device.

News URL

https://www.helpnetsecurity.com/2023/03/06/compromised-draytek-routers/

#attack #router