Security researchers at Forescout have uncovered a sophisticated cyber attack campaign targeting corporate networks through previously unknown vulnerabilities in DrayTek routers. The attack has successfully compromised over 300 organizations worldwide, with threat actors leveraging zero-day exploits to deploy ransomware and establish persistent network access.
Attack Timeline and Scope of Compromise
Between August and September 2023, the Monstrous Mantis threat group orchestrated a large-scale campaign targeting more than 20,000 DrayTek devices. The group operated as an initial access broker, exploiting previously undiscovered zero-day vulnerabilities to breach corporate networks and subsequently selling access to other cybercriminal organizations.
Complex Attack Infrastructure and Threat Actor Collaboration
Security analysis revealed an intricate network of cybercriminal collaboration. Monstrous Mantis established partnerships with two other threat groups: Ruthless Mantis (PTI-288) and LARVA-15 (Wazawaka). These partnerships facilitated the distribution of stolen credentials and network access, enabling secondary attacks across multiple geographic regions.
Impact and Geographic Distribution
The investigation identified 337 successful compromises by Ruthless Mantis, believed to be affiliated with the notorious REvil ransomware group. Their operations primarily targeted organizations in the United Kingdom and Netherlands, deploying Nokoyawa and Qilin ransomware variants. LARVA-15 expanded the campaign’s reach to Australia, France, Germany, Italy, Netherlands, Poland, Turkey, Taiwan, and the UK, functioning as an initial access broker.
Technical Analysis of the Vulnerability
Joint research by Forescout and Prodaft identified the zero-day vulnerability in the mainfunction.cgi component of DrayTek routers’ administrative interface. The National Vulnerability Database (NVD) has documented 22 new CVE entries related to this component. Affected devices include legacy models such as Vigor300B, Vigor2960, and Vigor3900, with uncertainty regarding the vulnerability’s presence in the latest 1.5.6 firmware released in March 2024.
To mitigate risks associated with these vulnerabilities, network administrators should implement immediate security measures, including regular firmware updates, comprehensive security audits, and enhanced network monitoring. Organizations using DrayTek devices should enable multi-factor authentication, implement network segmentation, and maintain detailed logs of administrative access. The incident underscores the critical importance of proactive security measures and continuous vulnerability management in protecting corporate networks against sophisticated cyber threats.
