Hiatus hacking campaign has infected roughly 100 Draytek routers:
Researchers have uncovered advanced malware that's turning business-grade routers into attacker-controlled listening posts that can sniff email and steal files in an ongoing campaign hitting North and South America and Europe.
Besides passively capturing IMAP, SMTP, and POP email, the malware also backdoors routers with a remote-access Trojan that allows the attackers to download files and run commands of their choice. The backdoor also enables attackers to funnel data from other servers through the router, turning the device into a covert proxy for concealing the true origin of malicious activity.
"This type of agent demonstrates that anyone with a router who uses the Internet can potentially be a target—and they can be used as proxy for another campaign—even if the entity that owns the router does not view themselves as an intelligence target," researchers from security firm Lumen's Black Lotus Labs wrote. "We suspect that threat actors are going to continue to utilize multiple compromised assets in conjunction with one another to avoid detection."
[...] Black Lotus still doesn't know how devices are getting hacked in the first place. Once (and however) that happens, the malware gets installed through a bash script that's deployed post-exploitation. It downloads and installs the two main binaries.
[...] Hiatus is mainly targeting DrayTek routers running an i386 architecture. The researchers, however, have uncovered prebuilt binaries compiled for ARM, MIPS64 big endian, and MIPS32 little endian platforms.
The packet-capture ability of the HiatusRAT should serve as a major wake-up call for anyone still sending email that isn't encrypted. In recent years, email services have improved at automatically configuring accounts to use protocols such as SSL/TLS over port 993 or STARTTLS on port 143. Anyone still sending email in plaintext will likely regret it sooner rather than later.
It's also a good idea to remember that routers are Internet-connected computers, and as such, they require regular attention to ensure updates and other measures, such as changing all default passwords, are adhered to. For businesses, it may also make sense to use dedicated router monitoring.
(Score: 5, Insightful) by NotSanguine on Friday March 10, @04:37PM
With sugar on top, when discussing compromises and vulnerabilities, include the appropriate CVE details [draytek.com] in TFS.
Thanks!
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by Mojibake Tengu on Friday March 10, @09:05PM (1 child)
The article mentions DrayTek Vigor 2960 and 3900 as "routers with VPN support", but what they actually are is... enterprise class dedicated VPN gateways.
Both models are EOL, sure, but for every 100 devices it's up to 20000 or 50000 respectively VPN connections under siege.
My bet is on Five Eyes this time. Small people cannot mine crypto on that.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 2) by driverless on Monday March 13, @06:10AM
Draytek are also pretty good both with securing their devices and supporting them with firmware upgrades more or less forever. Every time there's some new mass compromise of routers announced I look for Draytek in the long list of models from other vendors and they're never affected. And you can still get firmware updates for ten-year-old hardware, as opposed to... gawd, too many vendors to mention where you get the v1.0A that it shipped with and that's it (ToiletPaper-Link springs immediately to mind).