Last October, Forescout published a report disclosing several vulnerabilities in DrayTek routers. According to Forescount, about 700,000 devices were exposed to these vulnerabilities [1]. At the time, DrayTek released firmware updates for affected routers [2]. Forescout also noted that multiple APTs targeting devices. 

Interestingly, Forescout's report used the URL "/cgi-bin/malfunction.cgi", a URL returning a 404 status for the DrayTek routers I investigated. On the other hand, later publications by Fortinet and others used "mainfunction.cgi", which appears to be the actual vulnerable script.

For most of the attacks we are seeing are just searching for DrayTek routers using URLs like "/cgi-bin/mainfunction.cgi" without any arguments. These go back to the end of March of 2020. Starting in June of 2020, we see first exploit attempts for the "keyPath" vulnerability, and these attacks still flare up from time to time. The other vulnerable parameter often exploited is "cvmcfgupload". Below, I create a plot showing the prevalence of these two attacks, and a third one, which I saw again flare up yesterday. 

This third attack is what I believe to be a typo unless the attackers are looking for a completely different vulnerability. The attack URL is identical to the attacks above but missing the dash in "cgi-bin". 

The goal of these attacks is the same as the others: They attempt to upload and execute copies of a bot, usually various variants of Mirai. I guess that they are adding so many vulnerabilities to these bots that a couple of ineffective exploits won't matter.

For an old vulnerability like this, it is odd to see a large spike all for a sudden, and even more curious that the exploit will likely not work. If anybody has any insight, let me know.

The latest malformed exploit attempts to download the usual simple multi-architecture bash script:

hxxp://45[.]116.104.123/hiroz3x.sh

Next, it attempts to download the actual bot:

hxxp://45[.]116.104.123/h0r0zx00xh0r0zx00xdefault/h0r0zx00x.x86

A quick string analysis of the bot shows attempts to exploit other vulnerabilities and likely some brute force component. A Virustotal analysis can be found here:

https://www.virustotal.com/gui/file/80bfbbbe5c5b9c78e391291a087d14370e342bd0ec651d9097a8b04694e7c9b9
 

[1] https://www.forescout.com/resources/draybreak-draytek-research/
[2] https://www.draytek.com/support/resources/routers#version

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|