back to article Alert: Crims hijack these DrayTek routers to attack biz

If you're still using post-support DrayTek Vigor routers it may be time to junk them, see if they can be patched, or come up with some other workaround, as a malware variant is setting up shop in the kit. The operators behind the Hiatus malware campaign are hijacking DrayTek Vigor router models 2960 and 3900 powered by MIPS, …

  1. Furious Reg reader John

    The vulnerability applies to more than just 2960 and 3900 routers

    The RAT may only affect the routers in the article, but many more systems are vulnerable to the exploit that maybe led to the RAT:

    Affected Model Fixed Firmware Version

    Vigor3910 4.3.1.1

    Vigor3220 Series 3.9.7.2

    Vigor2962 Series 4.3.1.1

    Vigor2952 / 2952P 3.9.7.2

    Vigor2927 Series 4.4.0

    Vigor2927 LTE Series 4.4.0

    Vigor2926 Series 3.9.8.1

    Vigor2926 LTE Series 3.9.8.1

    Vigor2925 Series 3.9.2

    Vigor2925 LTE Series 3.9.2

    Vigor2915 Series 4.3.3.2

    Vigor2912 3.8.15

    Vigor2866 Series 4.4.0

    Vigor2866 LTE Series 4.4.0

    Vigor2865 Series 4.4.0

    Vigor2865 LTE Series 4.4.0

    Vigor2862 Series 3.9.8.1

    Vigor2862 LTE Series 3.9.8.1

    Vigor2860 Series 3.9.2

    Vigor2860 LTE Series 3.9.2

    Vigor2832 3.9.6.1

    Vigor2766 Series 4.4.2

    Vigor2765 Series 4.4.2

    Vigor2762 Series 3.9.6.4

    Vigor2760 Series 3.8.9.6

    Vigor2620 LTE Series 3.9.8.1

    VigorLTE 200n 3.9.8.1

    Vigor2135 Series 4.4.2

    Vigor2133 Series 3.9.6.4

    Vigor1000B 4.3.1.1

    Vigor166 4.2.4

    Vigor165 4.2.4

    Firmware update are free, so get patching if you haven't already.

    1. Alan W. Rateliff, II

      Re: The vulnerability applies to more than just 2960 and 3900 routers

      I really like the DrayTek Vigors, which seem to not be commercially popular devices over this side of the world. I just had to replace my 2862 which was about four or five years old. Other than lacking support and this nasty security vuln, if the modem had not been damaged it might have lived here even longer. Of course, the replacement unit is faster and has better wireless.

  2. Anonymous Coward
    Anonymous Coward

    "drops a bash script and deploys two malicious executables"

    How??

    I can't even get out a text version of the config.

  3. greenwood-IT

    I cancelled a Trooli fibre installation a couple of months ago as they insisted that they deploy and manage an obsolete 3900. I wonder what they are going to do now...

    If your going to insist on only allowing the use of supplier kit, surely you'd provide something that's supported :-(

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like