Weekly Update 8 March 2023
Security Advisory
1. Hacking campaign called 'Hiatus' targets DrayTek Vigor router models 2960 and 3900
We have become aware of a hacking campaign called 'Hiatus' targeting DrayTek Vigor router models 2960 and 3900 to steal data from victims and build a covert proxy network. Details are in the web article: https://www.bleepingcomputer.com/news/security/new-malware-infects-business-routers-for-data-theft-surveillance/
This article shows what a hacker does after gaining access to a compromised 2960/3900.
Our recommendation is to upgrade your Vigor2960/300B/3900 to the latest firmware version 1.5.1.4 for security improvements. The security improvements include:
· Improve Web GUI Security.
· Disable TR069 from WAN by default.
· Improve the OpenSSL security (CVE-2022-0778).
· Set the OpenVPN encryption version to TLS 1.2 by default.
· Fixed: Let’s Encrypt certificate renew failure if enabling Access Control.
· Fixed: IKEv2 EAP VPN(H2L) failure if cut wrongly the subject alternative name of the local certification.
The firmware can be downloaded from:
https://www.draytek.com.au/support/downloads/vigor3900/
Additional actions to secure your router are:
1. Use a strong password for admin login and all VPN profiles. Change the passwords periodically.
2. Disable any unnecessary services and VPN profiles, like OpenVPN, PPTP VPN, or remote management (Web, SNMP, telnet, SSH, FTP) from WAN. If any service is enabled, please enable ACL and 2FA.
3. Enable Fail to Ban in System Maintenance>Access Control page.
2. Cross-Site Scripting vulnerability (CVE-2023-23313)
A Cross-Site Scripting vulnerability in the hotspot web portal and user management login page on Draytek Routers (CVE-2023-23313) has been discovered.
It is possible for an authenticated attacker to inject and store arbitrary JavaScript code into the user's browser by using the vulnerable CGI script. Since the injected code is stored permanently, every user visiting the web application will trigger the stored malicious payload.
DrayTek has now released updated firmware to address this vulnerability.
More details at: https://www.draytek.com/about/security-advisory/cross-site-scripting-vulnerability-(cve-2023-23313)/
Refer to our newsletter on 7th March for a list of firmware you can download.
To subscribe to our regular news updates, click on “Subscribe” on this page or login into your i-helpdesk account and enable the “Subscribe” option.
Related Articles
Weekly Update 24 March 2021
MyVigor Security Update Recently the MyVigor server has been upgraded to a new system architecture which includes security enhancements. As a result, new firmware will be required for DrayTek devices to take advantage of the new security ...Weekly Update 19 March 2020
Upcoming Webinar Free Webinar – Network Management and Monitoring of DrayTek Devices Tuesday 31 March 2020 10:00AM – 10:30 AM (AEST) You are invited to attend our next webinar presentation where we give an overview of the different ways to manage ...Weekly Update 9 March 2020
Upcoming Webinar DrayTek VigorConnect– Features and Benefits Tuesday 17th March 2020, 10:00am Duration: 30 minutes You are invited to attend our next webinar: DrayTek VigorConnect - Features and Benefits. This webinar introduces the latest network ...Weekly Update 26 March 2020
Upcoming Webinar Free Webinar – Network Management and Monitoring of DrayTek Devices Tuesday 31 March 2020 10:00AM – 10:30 AM (AEST) You are invited to attend our next webinar presentation where we give an overview of the different ways to manage ...Weekly Update 7 March 2023
Security Advisory Cross-Site Scripting vulnerability (CVE-2023-23313) A Cross-Site Scripting vulnerability in the hotspot web portal and user management login page on Draytek Routers (CVE-2023-23313) has been discovered. It is possible for an ...