Threat actors are exploiting vulnerabilities in legacy DrayTek routers to breach networks to steal passwords and deploy ransomware. According to a joint report from cybersecurity firms Prodaft and Forescount, the campaign active since August 2024, has been leveraging a suspected zero-day exploit in the “mainfunction.cgi” endpoint of DrayTek Vigor routers.
The campaign has been linked to Monstrous Mantis, a threat actor believed to be associated with the Ragnar Locker ransomware gang. Two affiliates have also been identified, Ruthless Mantis and LARVA-15, that used stolen credentials to carry out separate campaigns.
Ruthless Mantis, a former affiliate of the Revil ransomware group, targeted 337 organizations in the UK and the Netherlands, deploying ransomware strains like Nokoyawa and Qilin. Meanwhile, LARVA-15 aka Mikhail ‘Wazawaka’ Matveev, acted as an Initial Access Broker, selling compromised credentials to other cybercriminals and targeting victims across Europe, Asia, and Australia.
Matveev, a Russian national, was arrested by the Russian authorities in November 2024. Though in this case Matveev did not deploy ransomware himself, he acted as an intermediary, distributing stolen credentials to other groups.
The campaign primarily targeted older, end-of-sale DrayTek models such as the Vigor300B, Vigor2960, and Vigor3900. These routers rely on the WebUI administrative interface, which has a history of security vulnerabilities, including CVE-2020-8515 and CVE-2020-15415, both listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Based on intercepted attacker communications, the researchers believe that the campaign involved a zero-day exploit, although the exact nature of the potential zero-day flaw remains unclear.
"Notably, the latest available firmware version for these end-of-sale devices is v1.5.6, available since March 2024. However, it remains unclear whether these newly documented issues will eventually be fixed," Forescout noted.