Full Report
Following the October disclosure of its Dray:Break research, which uncovered 14 new vulnerabilities in DrayTek devices, Forescout Technologies... The post Forescout details insights on ransomware campaign exploiting DrayTek vulnerabilities at Black Hat Europe 2024 appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Large-Scale Ransomware Campaign Exploiting DrayTek Routers (2023)
## Executive Summary
Between August and September 2023, a coordinated, large-scale ransomware campaign targeted over 20,000 DrayTek Vigor devices globally, utilizing suspected zero-day or undocumented vulnerabilities in the routers' management interface. The operation, involving three distinct threat actors facilitated by 'Monstrous Mantis' (Ragnar Locker), resulted in credential theft, network infiltration, and the deployment of ransomware, impacting organizations including a Manchester Police supply chain partner. Response efforts involved CERTs and law enforcement collaborating to notify victims and assess the scope.
## Incident Details
- **Discovery Date:** August/September 2023 (Observed exploitation period); Publicly disclosed/analyzed in late 2024 (Black Hat Europe).
- **Incident Date:** August – September 2023
- **Affected Organization:** Over 20,000 DrayTek Vigor devices worldwide (including a major supply-chain victim connected to Manchester Police).
- **Sector:** Multiple (Implied broad targeting, involving government/law enforcement supply chains).
- **Geography:** Worldwide
## Timeline of Events
### Initial Access
- **Date/Time:** August – September 2023
- **Vector:** Exploitation of vulnerabilities in DrayTek Vigor routers (Vigor300B, Vigor2960, Vigor3900 models—legacy/end-of-sale).
- **Details:** Attackers specifically targeted the vulnerable ‘mainfunction\[dot\]cgi’ web page within the WebUI, which handles administrative configuration and was often exposed to the internet despite vendor advisories. The vulnerability was allegedly referenced by the threat actor as a zero-day.
### Lateral Movement
- **Details:** Following infiltration, attackers systematically harvested and decrypted credentials into plaintext. These decrypted credentials were then selectively shared with trusted partners (Ruthless Mantis, LARVA-15) who used them to infiltrate victim environments. Abuse of VPNs and tunneling was also noted as part of the post-exploitation workflow.
### Data Exfiltration/Impact
- **Details:** The primary impact appears to be the deployment of ransomware following initial network access and credential theft. The exact volume or type of data exfiltrated is not specified, but credential harvesting was a central step.
### Detection & Response
- **Details:** The campaign was identified by threat intelligence firm PRODAFT. PRODAFT subsequently partnered with CISA, law enforcement agencies, and multiple CERTs to notify affected organizations and conduct a full scope assessment of the campaign. Analysis was publicly released by Forescout Technologies.
## Attack Methodology
- **Initial Access:** Exploitation of the DrayTek ‘mainfunction\[dot\]cgi’ endpoint, likely leveraging a zero-day or unpatched vulnerability in legacy devices.
- **Persistence:** Not explicitly detailed, but maintaining access via stolen VPN/administrator credentials is implied.
- **Privilege Escalation:** Involved decrypting harvested credentials into plaintext, likely enabling access to higher-level system functions.
- **Defense Evasion:** Monstrous Mantis maintained operational secrecy by controlling the exploit, only sharing decrypted credentials with trusted partners, minimizing the primary actor's direct exposure.
- **Credential Access:** Harvesting credentials via the initial router breach, followed by systematic decryption.
- **Discovery:** Not explicitly detailed, but standard reconnaissance is implied within the compromised network.
- **Lateral Movement:** Use of decrypted credentials to move internally, utilizing VPN and tunneling abuse.
- **Collection:** Systematic extraction of credentials.
- **Exfiltration:** Handover of decrypted credentials to collaborating ransomware deployment groups.
- **Impact:** Deployment of ransomware by collaborating groups (Ruthless Mantis, LARVA-15).
## Impact Assessment
- **Financial:** Not specified, but large-scale ransomware activity implies potentially significant costs for remediation and recovery.
- **Data Breach:** Credentials harvested and stored in plaintext; direct data exfiltration secondary to ransomware deployment details.
- **Operational:** Deployment of ransomware indicates significant operational disruption for affected organizations globally.
- **Reputational:** Notable link to a supply-chain incident involving Manchester Police, indicating high-profile risk exposure.
## Indicators of Compromise
(Note: Specific IoCs were withheld in the source material to prevent further exploitation, as this analysis concerns ongoing threat patterns.)
- **Network indicators:** Targeting of DrayTek WebUI ports exposed externally.
- **File indicators:** Ransomware payloads deployed by Ruthless Mantis (PTI-288) and LARVA-15 (Wazawaka).
- **Behavioral indicators:** Systematic harvesting and decryption of credentials post-router compromise; credential sharing between threat actors.
## Response Actions
- **Containment measures:** CERTs and law enforcement notified affected organizations.
- **Eradication steps:** Remediation steps recommended focused on patching, replacing EOL hardware, and network segmentation.
- **Recovery actions:** Restoration of services following ransomware deployment (implied).
## Lessons Learned
- **Key takeaways:** Cybercriminal ecosystems are highly transactional and specialized, with groups like Monstrous Mantis acting as facilitators (access brokers) sharing victim data for indirect profit. Undocumented or recurring vulnerabilities in internet-exposed, end-of-life hardware (like older DrayTek models) remain a critical attack surface, even when known CVEs are patched.
- **What could have been done better:** Vendors must prioritize patching or deprecating infrastructure where persistent, similar vulnerabilities exist across multiple hardware generations.
## Recommendations
- Ensure comprehensive visibility into all network perimeter devices, their software versions, and communication patterns.
- Understand risk profiles by auditing vulnerabilities, weak configurations, and internet exposure of perimeter devices.
- Replace default credentials and enforce strong, unique passwords for all devices.
- Promptly patch all devices and replace end-of-life (EOL) hardware that no longer receives security updates.
- Implement network segmentation to limit the blast radius should initial access be gained through an exposed perimeter device.