Security News > 2023 > March > Alert: Crims hijack these DrayTek routers to attack biz

If you're still running post-support DrayTek Vigor routers it may be time to junk them, or come up with some other workaround, as a cunning malware variant is setting up shop in the kit.

The operators behind the Hiatus malware campaign are hijacking DrayTek Vigor router models 2960 and 3900 powered by MIPS, i386 and Arm-based processors to in turn attack businesses in North and Latin America as well as in Europe, according to researchers with Lumen's Black Lotus Labs threat intelligence unit.

The tcpdump binary is used to monitor router traffic on ports used for email and file-transfer communications and capture packets and sends the information to the C2. High-end router flinger DrayTek admits to zero day in bunch of Vigor kit Dump these small-biz routers, says Cisco, because we won't patch their flawed VPN If you're using older, vulnerable Cisco small biz routers, throw them out Cyclops Blink malware sets up shop in ASUS routers.

Malware campaigns targeting routers aren't new, but they can be very lucrative.

Cisco has seen its share of its small business routers be abused by attackers and threat groups like Trickbot and nation-states like China and Russia have used the devices as pathways into IT environments.

Black Lotus last year outlined an unrelated novel malware called ZuoRAT that attacked small office and home office routers to deploy on adjacent LANs and a hacktivist campaign in 2021.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/03/08/draytek_router_malware_hiatus/