routers under attack how companies can protect their gateway to the internet banner

Routers Under Attack: How Companies Can Protect Their Gateway to the Internet

Modems and routers aren’t the most glamorous of connected technologies. In fact, their ubiquity means that most organisations forget they’re even there. However, they also perform a critical function in enabling networked devices and machines to reach the public internet. Without them, most businesses would struggle to operate.

Yet because of their location at the edge of the network, routers are also an increasingly popular target. It doesn’t help that many are riddled with vulnerabilities and may not be updated as frequently as other critical devices. A report from Forescout released in October warns of 14 new firmware flaws in DrayTek routers.

It’s time to get serious about protecting corporate routers.

What’s Wrong with DrayTek?

According to Forescout, two of the 14 new vulnerabilities it discovered in routers from the Taiwanese manufacturer are rated critical: CVE-2024-41592 has a maximum CVSS score of 10, while CVE-2024-41585 is given a 9.1.

The former is a buffer overflow in the GetCGI() function of the DrayTek VigorConnect Web UI. It could apparently be triggered by a specially crafted and excessively long query string to any of the 40 CGI pages of the Web UI. This, in turn, could be used to achieve denial of services or, if chained with OS command injection bug CVE-2024-41585, to gain remote root access to the underlying host operating system.

That’s potentially far more serious, as it would provide an attacker with the “keys to the kingdom” – enabling complete remote control of the targeted router and, by moving laterally, other devices on the same network, says Forescout.

The popularity of DrayTek routers globally highlights network defenders’ challenges and the opportunity for threat actors. According to Forescout, over 704,000 routers were exposed to the internet – and therefore open to exploitation – when the report was compiled, including 425,000 in the UK and EU. Most are apparently intended for business use.

DrayTek had patched all the firmware vulnerabilities by the time the report was published. Still, there is no guarantee that customers will apply the updates before potential attempts to exploit them. The vendor is also by no means the only manufacturer whose products are at risk of compromise. In September, a joint advisory from several Five Eyes security agencies revealed the existence of a massive botnet of 260,000 hijacked devices, including routers from MikroTik, Ubiquiti, Telesquare, Telstra, Cisco, and NetGear.

Why Routers?

Modems and routers are clearly a popular target for threat actors. This is because they:

  • Are often riddled with unpatched vulnerabilities that could be exploited
  • They are often used by SMEs with fewer security resources and know-how, which may leave routers exposed
  • Are easy for hackers to scan remotely
  • May only be protected by factory default credentials
  • Provide a gateway to other devices on the same network and could, therefore, be used as an initial access vector for ransomware and data theft
  • They can be hijacked and used as bots in a larger botnet to launch DDoS attacks on others or disguise more sophisticated threat campaigns
  • Could be repurposed as command-and-control servers (if they’re high-performance routers)

End-of-life (EoL) or end-of-sale (EoS) devices are particularly at risk as patches/updates may not be available from the vendor. Forescout claims that 11 of the 24 impacted DrayTek models listed in its research were either EoL or EoS. Even if patches can be applied, they often are not. Almost two-fifths (40%) of those in the report are still vulnerable to similar flaws identified two years previously, according to Forescout.

“Routers can yield access to, or even control of, assets inside an organisation’s network. As the skeletons of the networks and sub-networks they form, they are a great resource for an attacker to infect,” Black Duck Software managing security consultant Adam Brown tells ISMS.online.

“Furthermore, they are administrated by individuals with the highest levels of security credentials, which, if breached, give bad actors the keys to the kingdom.”

This is not a theoretical threat. As well as the massive Chinese threat campaign highlighted above, we can point to the following:

Volt Typhoon: A Chinese state-backed APT group that exploited zero-day vulnerabilities in internet-connected network appliances like routers to compromise strategically important critical infrastructure networks in the US. The end goal, says the Cybersecurity and Infrastructure Security Agency (CISA), was to be primed and ready to launch destructive attacks in the event of a military conflict.

BlackTech: Another Chinese state APT group which targeted various organisations in the US and Japan. It targeted poorly protected routers in branch offices, allowing attackers to blend in with regular traffic as they pivoted to other devices in corporate headquarters. In some cases, the adversaries gained admin rights, enabling them to replace the firmware on the routers and/or switch off logging to hide their tracks.

Cyclops Blink and VPNFilter: Two sophisticated multi-year campaigns from Russia’s Sandworm group, which targeted small office/home office (SOHO) routers and other network devices. Deployment of the eponymous malware was described as “indiscriminate and widespread”, leading observers to speculate that the purpose was to create botnets capable of launching threat campaigns on other targets.

APT28/Fancy Bear: A prolific Russian threat group targeted Ubiquiti EdgeRouters as part of a broader campaign to “facilitate malicious cyber operations worldwide” – including by hosting spear phishing pages and custom attack tools.

How to Mitigate the Threat

Some US lawmakers want to investigate Chinese-made routers in a bid to mitigate Beijing’s cyber espionage threat. But this will do nothing to tackle the problem of routers made elsewhere being hijacked through stolen/brute-forced credentials or vulnerability exploitation. So, how can organisations better protect their routers? Some best practices will help.

An excellent place to start is tried-and-tested cyber-hygiene such as:

  • Regular patching of firmware as soon as updates are available, using automated update channels where possible
  • Replacing default passwords with strong, unique credentials
  • Turning off unused services and ports like UPnP, remote management, file sharing, etc
  • Promptly replacing EoL kit to ensure maximum protection from exploitation.

Black Duck Software’s Brown adds that Zero Trust security approaches would also help organisations mitigate router security risks, such as network monitoring for unusual traffic volumes and segmentation alongside least privilege access policies.

“Security architecture must be considered when deploying networks, and therefore routers, with care taken to ensure access to router consoles have appropriate security controls,” he adds. “Network trust zones must be considered, and a Zero Trust approach to architecture at all layers will help limit the blast radius should an incident occur.”

As the above examples highlight, powerful state-backed groups as well as sophisticated cybercrime entities are looking are primed to take advantage of security gaps to hijack routers and the networks they straddle. With SMBs in the crosshairs, it’s time to close this critical security gap.

Streamline your workflow with our new Jira integration! Learn more here.