Interview: Daniel dos Santos on router vulnerabilities and state-sponsored hacktivists

Basically, there were lots of similar vulnerabilities that have happened in the past with Draytek as well, issues with their web management interface, and that would eventually allow for a complete takeover of a device, right? We typically don’t like to, let’s say, point fingers at some specific vendor or something like that. We know that it’s an industry-wide issue, but one of the things that we realised is that these things keep happening often and again and again.

So we noticed there was attacker activity that was related to some of the previous vulnerabilities that had been found by Draytek or reported to Draytek in the past, in the past couple of years, and as we were doing the research, we saw also that there was activity from lots of China-based botnets and other threat actors that were looking at exploiting Draytek vulnerabilities specifically. So, our disclosure really came at a time when a lot of activity was happening around those devices.

Cyber Daily: So, are these consumer devices? SOHO devices? Are they widely used?

Daniel dos Santos: It’s interesting because it’s a little wider than that.

VIEW ALL

I would guess, the primary market is still consumer; they have a big consumer presence, but they have small business and small enterprise, or small- to medium-sized, let’s say, enterprise type of devices. We actually started looking from the enterprise point of view because we’re typically more interested in the enterprise side of things, on corporate hardware and so on.

So we looked at routers that were like VPN appliances and big routers, and then we saw that it’s the same firmware that is also used in many consumer devices. And in the end, the vulnerabilities that we found affected a large number of models that span all the way from SOHO to larger corporate VPN appliances.

Cyber Daily: Funnily enough, we recently interviewed one of Dragos’ vulnerability analysts, and he took me through the process of vulnerability disclosure from start to go, and we were talking about the fact that it could sometimes be a little bit adversarial. Would you say Draytek’s been a little bit difficult to work with in this regard?

Daniel dos Santos: No, not really. I totally align with what he’s saying, though. In general, it can be very adversarial. We’ve had experiences like that, but Draytek was actually quite interested in solving the issues.

There was one thing that we noticed is that, as we said, with past issues happening that we found, and actually the day that we had the disclosure, they had an advisory for something similar, one of which was found by some other researcher at kind of the same time. One thing that we did notice is that they’re probably not yet doing the right type of root cause analysis and fixing the issues at the root right away.

But that’s not to say that they have been adversarial or they don’t know or they didn’t understand the problem. It’s just probably they’re trying to fix things as they happen. But again, as with many vendors, I’m not sure that they have the time to go into all of the root cause issues, right?

So, in general, just maybe adding to the conversation you’ve had with that analyst, even when things go well, sometimes the result is not 100 per cent what we expect, in the sense that maybe the issues haven’t been fixed at the root of the cause.

Cyber Daily: Have you seen any active exploitation of these vulnerabilities?

Daniel dos Santos: We haven’t seen anything yet of our new vulnerabilities, because one of the goals that we actually have – and it’s right in the subtitle of the report – is finding the vulnerabilities before the threat actors exploit them. In the sense that we had seen increasing activity on Draytek, and we wanted to find those issues before we saw them being exploited.

There is, however, a lot of activity on previously reported vulnerabilities on Draytek devices that were very similar. And one of the things that we notice is that it’s not always the case that those devices are patched. So many times, the previous ones continue to work. So, in many cases, botnets and so on will just reuse the vulnerabilities that are already existing because devices in the wild are still vulnerable to those.

Cyber Daily: Given that past history of active exploitation, what kind of threat actors are taking advantage of these devices and to what end?

Daniel dos Santos: There are a couple of types of activities there. There is a long list that we mentioned in our report of mainly Chinese-based activity on those devices that started around 2018, and some of those were for things that were probably very, very likely espionage.

For instance, changing DNS settings on the devices, which means that you will route traffic to a server that is located in an adversarial place, and then you’ll get information that there was activity, which was, as I said, about building botnets. And those botnets – this is something that used to be much more cyber criminal activity in the past, building botnets – but more recently, in the past couple of years, many state-sponsored threat actors, and specifically Chinese threat actors, have been using botnets for their own attacks as well, with the advantage that they can kind of disguise where the attacks are coming from. They use that as a middle layer in between the origin and the destination of an attack. There is a huge botnet where you can route traffic and use those devices for that purpose.

So that’s the state-sponsored activity.

There is also the typical cyber criminal, or opportunistic attack botnet, like the Mirai botnet and things like that, that will sell access to those devices, for DDoS, for crypto-mining and things like that. And more recently, we’ve gotten some information about specific cyber criminal activity on Draytek routers, but we’re still analysing that specifically.

Cyber Daily: That’s a good place to segue to the next thing I wanted to talk about, which is the general threat landscape at the moment. The whole Draytek issue is just part of a much wider landscape, of course, and based on growing conflict in the Middle East, Ukraine, and everywhere else, I’m guessing that the threat landscape is just getting more and more complex, particularly among nation-state actors.

Daniel dos Santos: For sure. So Draytek is actually a reflection of increased activity on edge devices and perimeter devices: firewalls, VPN appliances, routers, load balancers … Everything that you have at the edge of the network is getting constantly attacked these days, and new vulnerabilities are being found very frequently.

We actually launched a research report in August where we were looking at the first half of the year, and there were two trends that we mentioned there. One was these attacks on edge devices, and that led us to look into Draytek and find those new vulnerabilities. The other one was hacktivists, opportunistic attacks that are being driven by some of those conflicts that you mentioned.

These are the two key themes that we are following now – it’s really attacks on edge devices and hacktivists or, in many cases – that’s what we were discussing in the report – state-sponsored hacks, disguised as hacktivist attacks, on a lot of operational technology and critical infrastructure as a whole. There are many groups nowadays that are masquerading as activists, or grassroot movements and so on, but they are actually state-sponsored groups affiliated [with] military or civilian intelligence organisations that actually post some of their attacks online and claim to be hacktivist groups.

I think that’s two of the biggest changes that we have noticed in the past, let’s say, one year, and we believe that those two trends will continue in the next year.

Really, those are two key things that we are following that we don’t see changing anytime soon.