Saturday 9 June 2018

Draytek router hacks and odd DNS

This is quite a common thing when you work in IT, you hear about exploits, hacks and malware doing the rounds. In fact you get slightly immune to it over the years, you hear so much about it, so many hacks and general attacks going on you start to ignore it all as noise. Risky? Yes, but unfortunately part of the territory.

Well, I'm in such a situation, I've seen so many releases about exploits or denial of service to Cisco, HP, Windows, Linux, Android and various hardware that I now don't often read them or if I do it's glancing due to workload and lack of time! So it had to be the case I'd be bitten by that lack of attention.
In this particular case it's due to a Draytek exploit, but I didn't know that at first. The issue? My HIVE home heating system wasn't connecting to the outside world, so I couldn't control my heating/hot water remotely!
Not exactly earth shattering, but being a techie I had to figure it out. So I started looking at the units (rebooted them all, obviously!), checking why they couldn't talk, and nothing seemed right, they looked fine, I could see them on my local network.

So I went to plan-B, change the gateway of the hive hub in my house to my server IP and then sniff the traffic it was sending and receiving to see if that gave any clues.
After changing the gateway for the device in my DHCP server and restarting the service, I watched the logs to see the hive unit get a new IP to confirm it had moved.
I then started to see something odd, complaints about NAK and an alternative DHCP server giving replies. I checked the IP and it was my Draytek router.



Now on my network, the draytek router does very little, it does FTTC to Ethernet conversion, does the PPP auth and then sends all the raw public stuff to my server. So why it would be handling DHCP is an odd question.
A while back when having DSL issues I did temporarily use it for DHCP whilst BT checked out problems, but I was sure it was set back!
So checking the web interface for the Draytek it revealed it DID have DHCP enabled, and then I spotted an odd DHCP DNS server address.
38.134.121.95
What is that address, not one I recognised. The secondary was my normal secondary DNS but that primary was odd.

I simply switched DHCP off to let my server do the work, suddenly the HIVE started to work. So it looks like it was that DNS entry to blame. I decided to search for it and then all the security advisories came up! I've pasted a couple here for info:

https://www.bleepingcomputer.com/news/security/draytek-router-zero-day-under-attack/
https://www.draytek.co.uk/support/security-advisories/kb-advisory-csrf-and-dns-dhcp-web-attacks
https://www.ispreview.co.uk/index.php/2018/05/dns-vulnerability-strikes-popular-draytek-broadband-isp-routers.html

Not good, so it appears somebody had hacked my router, switched DHCP back on and set this rogue DNS server. But it's an odd thing to do. You can glean a certain amount of information from this hack, you can see what websites are being visited, and you can do a redirect to try and grab sensitive information.
For example, say our rogue server gave out their OWN IP address for something like your banks website, presented a fake banking website and got you to enter your details.
Now think of this on a larger scale, they'd only be able to re-create SOME banking websites, SOME online account websites on their hack servers, so it's quite a limited attack depending on what they're targeting and trying to achieve.

Now I suspect I've been lucky here, being in the UK there are fewer websites I suspect the attackers will have re-created or redirected. I'm also curious what their aim was, but nobody seems to know much about it.
The IP is innocent enough, hosting webspace in the USA, so I suspect it will have been shutdown quite some time ago, and checking DNS queries today to it fail, so looks like it's been stopped. But even so, that's odd, and how long was it sniffing my traffic?

My guess is it's been a couple of weeks for me. That's when I had "odd" behaviour, the HIVE hub stopped connecting, etc.

The answer? PATCH, I went to Draytek and updated my firmware, which is something we all have to start getting used to. Keep updating, keep patching, etc.
What a chore! Maybe there is a better way, but for now we have to be aware, and watch for this sort of thing and not let it wash over us!