Several of the major communications services providers in the UK were found to be at risk due to a series of vulnerabilities in Draytek’s Vigor router devices, as disclosed by ForeScout on October 2nd. Some of the affected CSPs include Daisy Communications, Gamma Telecom, Zen Internet, and even BT.
DrayTek released patches for all 14 vulnerabilities ahead of the disclosure. However, over 704,000 routers were still exposed online at the time of disclosure, raising concerns about potential downstream compromises, especially in light of the recent FBI takedown of a botnet involving DrayTek assets used by Chinese spies.
Forescout’s researchers highlighted that approximately 75% of the vulnerable devices were being used in commercial settings, posing severe risks to business continuity and reputation. The vulnerabilities ranged from enabling denial of service attacks to full system compromise and remote code execution.
One of the most critical vulnerabilities, CVE-2024-41592, could lead to DoS and RCE, allowing threat actors to gain remote root access on the host OS. When combined with CVE-2024-41585, it could enable the launch of botnet activity and even lead to malware or ransomware deployment.
Censys analysis revealed that a significant number of exposed DrayTek Vigor devices are located in the UK, with the highest concentrations at Gamma Telecom, BT, Daisy Communications, and Zen Internet. Similar risks were identified in other European countries such as the Netherlands and Germany.
Operators of vulnerable Vigor routers are advised to patch their firmware immediately, restrict administrative web UIs from public access, and implement multifactor authentication. BT confirmed awareness of the vulnerability and is working on remediations.
In a separate FBI operation in September 2024, threat actors exploiting DrayTek’s kit were targeted, along with products from other suppliers. The operation revealed a China-based company linked to state-backed threat actor Flax Typhoon, known for targeting organizations in Taiwan and Southeast Asia.
The Flax Typhoon APT group has been active since 2021, primarily targeting government bodies, educational institutions, and IT organizations. The FBI investigation uncovered a Mirai botnet comprising 250,000 devices hijacked for intelligence-gathering activities.
