Do you run Draytek routers?
If so, you need to know that Draytek became aware of a new attack affecting web-connected devices, including Draytek routers.
It’s paramount you check your router’s DNS settings and update its firmware. This is what Draytek had to say in its advisory statement.
What Draytek says:
In May 2018, we became aware of new attacks against web-enabled devices, which includes DrayTek routers. The recent attacks have attempted to change DNS settings of routers. We are in the process of releasing updated firmware, and will issue each ASAP to address this issue. You should upgrade as soon as it is available but also immediately follow the advice below:
- Update your firmware immediately, or as soon as updated software is available. Before doing the upgrade, take a backup of your current config in case you need to restore it later (system maintenance -> Config Backup). Do use the .ALL file to upgrade, otherwise you will wipe your router settings. If you are upgrading from a much older firmware then please check the release notes carefully for any upgrading instructions. Note : If your are an Irish user (or using an ISP who uses non-standard VLAN tags), please see the note further down.
- Check your DNS and DHCP settings on your router. If you have a router supporting multiple LAN subnets, check settings for each subnet. Your DNS settings should be either blank, set to the correct DNS server addresses from your ISP or DNS server addresses of a server which you have deliberately set (e.g. Google 22.214.171.124). A known rogue DNS server is 126.96.36.199 – if you see that, your router has been changed.
In the case of DHCP, the DHCP server may be disabled, which will typically cause errors on your LAN as devices fail to be issued with IP addresses so the problem is more obvious.
- If your settings appear to have been compromised, restore a config backup or manually check and correct all settings. Change your admin password and check that no other admin users have been added. Follow all of the advice in our previous CSRF article here.
- If you have remote access enabled on your router, disable it if you don’t need it, and use an access control list if possible. If you do not have updated firmware yet, disable remote access (admin) and SSL VPN. The ACL does not apply to SSL VPN connections (Port 443) so you should also temporarily disable SSL VPN until you have updated the firmware.
- Always use secured (SSL/TLS1.2) connections to your router, both LAN and WAN side. To do that, just prefix the address with https://. Disabling non-SSL/TLS connections:
The ‘enable validation code’ option at the top (above) is recommended. It adds a ‘captcha’ style option to the web admin login page.
- If you are in the UK/Ireland, ensure that you’re a member of our mailing list so that you can receive update and security advisories like this otherwise we have no way to notify you of this and any future issues.
Keeping you safe online
Draytek went on to say:
The priority for us has been to identify the cause and issue strengthened firmware so this is an initial report/advisory. We continue to monitor and investigate this issue and will update as appropriate. At this stage, for obvious security reasons, we will not be providing any further details of the issue. Please share this advisory with other DrayTek users/SysAdmins.
Our wireless access points (VigorAP series), switches (VigorSwitch series) and Vigor 2950, 2955, 2960, 3900 and 3300 series routers are not affected and do not need updating (but you should still always run the latest firmware on those anyway).
If you have a Draytek router, make sure you follow their advice and stay safe online.