Internet routers compromised by attack
An attack on its internet routers has led to a scramble by manufacturer Draytek to develop and issue updates to block the security vulnerability. The attack, which came to light on 18 May 2018, breaks into the router and changes some of its settings. The change did not cause any damage, but it was thought to be the prelude to something with a greater impact.
The changes made are to the DNS settings. These settings point to servers that translate web addresses that we can read into codes that are used to identify computers. Each router has a pair of DNS settings. The attack changed the primary DNS to a server that apparently belonged to China Telecom. The secondary DNS was set to a Google server, which meant that routers would continue to work even though they had been compromised. It is thought that the next stage would direct the primary DNS to a site that would divert unsuspecting users to fake sites to collect user names and passwords.
How do you know if you have been affected?
The only way to know if your router has been affected is to check the DNS settings, which requires some technical knowledge. Then you need to update the router with new firmware that contains a fix to the vulnerability. At this stage we know that many Draytek routers are affected but other makes could be vulnerable too. Not all Draytek models have security fixes available and there is currently no date for the release of updated software.
Option 1 – fix your Draytek router
These are the steps to take:
- You need to know if you have been affected by this attack. Our technical team will check your router, reset it if necessary and change the administrator password. This should involve minimal downtime.
- When updated software is available we will install the update. This will involve additional downtime.
Option 2 – upgrade to business-grade security
Draytek is a popular budget line of devices but they are not recommended as part of a business-grade security policy. A better option is to have a managed service to protect the internet connection that your organisation depends on. With higher standards and a service that is monitored, managed and updated by Riverbank, you can get on with your work and leave someone else to deal with the IT concerns.
If you are a Riverbank client, we will notify you if you have Draytek equipment that could be affected. You can then decide what action to take.
If you aren’t a Riverbank client and would like advice about the threat, call us on 01235 426700 or e-mail firstname.lastname@example.org.