September 5, 2024 at 07:12AM
Multiple threat groups have exploited two old vulnerabilities in DrayTek VigorConnect management software to target organizations worldwide. The flaws allow attackers to download arbitrary files with root privileges. Exploitation attempts spiked in August, prompting CISA to add the vulnerabilities to its KEV catalog. The attacks seem broad and not targeting a specific region or vertical.
From the meeting notes, the key takeaways are:
1. Two old vulnerabilities in DrayTek VigorConnect, tracked as CVE-2021-20123 and CVE-2021-20124, have been exploited by multiple threat groups targeting organizations worldwide. These vulnerabilities allowed unauthenticated attackers to download arbitrary files from the underlying operating system with root privileges. The vulnerabilities were patched by the vendor in October 2021.
2. Although there are no public reports of in-the-wild attacks, Fortinet IPS advisory mentioned CVE-2021-20123 being exploited in attacks across various industries, including finance payroll, networking, manufacturing, real estate, telecom, and technology.
3. The exploitation attempts increased on August 28 and 29, leading to CISA adding the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
4. The history of attacks on DrayTek products reveals that threat actors have previously exploited zero-day vulnerabilities in the company’s routers.
5. The large number of DrayTek products exposed according to Shodan search results makes them an attractive target for threat actors.
Let me know if you need any further information or analysis on this.