Following reports of widespread reboots affecting DrayTek routers globally, GreyNoise is bringing awareness to in-the-wild activity against several known vulnerabilities in DrayTek devices. While we cannot confirm a direct connection between this activity and the reported reboots, we are surfacing this data to help defenders monitor and respond accordingly.

 

Observed In-The-Wild Activity 

GreyNoise has observed in-the-wild activity against the following CVEs:

  • CVE-2020-8515 — a remote code execution vulnerability in multiple DrayTek router models. 
  • CVE-2021-20123 — a directory traversal vulnerability in DrayTek VigorConnect. 
  • CVE-2021-20124 — a second directory traversal vulnerability in DrayTek VigorConnect. 

Below is a breakdown of recent in-the-wild activity observed by the GreyNoise Global Observation Grid (GOG).

Across all CVEs, GreyNoise has observed the following activity in the past 45 days:

By CVE, we’ve seen the following: 

CVE-2020-8515: Remote Code Execution 

  • No activity in the past 24 hours. 
  • 82 IPs observed in the past 30 days.
  • Top destination countries by sessions in the past week: Indonesia, Hong Kong, United States. 
BLOCK MALICIOUS IPS

CVE-2021-20123: Directory Traversal

  • Activity in the past 24 hours. 
  • 23 IPs observed in the past 30 days.
  • Top destination countries by sessions in the past week: Lithuania, United States, Singapore. 
BLOCK MALICIOUS IPS

CVE-2021-20124: Directory Traversal

  • Activity in the past 24 hours. 
  • 22 IPs observed in the past 30 days.
  • Top destination countries by sessions in the past week: Lithuania, United States, Singapore.
BLOCK MALICIOUS IPS

GreyNoise will continue to monitor in-the-wild activity related to DrayTek devices. Explore the GreyNoise Visualizer for the latest activity. 

Read the SecurityWeek report detailing the reboots. 

667dd40ebb8095e89f275b0d_subscribe-graphic-left

— — —

Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account