DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

ZuoRAT exploit

More
30 Jun 2022 15:31 #101318 by pharcyder
ZuoRAT exploit was created by pharcyder

Please Log in or Create an account to join the conversation.

More
01 Jul 2022 13:10 #101320 by chainsawdude
Replied by chainsawdude on topic Re: ZuoRAT exploit
The reports say that ZuoRAT attacks routers that use the MIPS architecture, including Draytek.

My understanding is that MIPS is dead and no modern device should be using it.
Does anyone know which Draytek models use the MIPS architecture?

Please Log in or Create an account to join the conversation.

More
02 Jul 2022 01:44 #101325 by hornbyp
Replied by hornbyp on topic Re: ZuoRAT exploit
The Research 'paper' that describes the exploit, appears to be here ; it takes some reading though :shock:
(It does mention the Draytek Vigor 3900...)
Malwarebytes have attempted to dissect what it says, but it's still not clear (to me).

(I'm not entirely sure where the 'MIPS' reference has come from though, nor what the current status of MIPS is - it does still seem to be alive-and-kicking )

Please Log in or Create an account to join the conversation.

More
03 Jul 2022 10:23 #101329 by timo_w2s
Replied by timo_w2s on topic Re: ZuoRAT exploit
Thanks for bringing this up as I was wondering what the situation is too. It would be nice to hear Draytek's view on all this.

What are people's views on regularly rebooting routers to help mitigate these attacks? (As I believe the initial malware only sits in the ram and is lost when rebooted) Is a reboot within the control panel enough to remove any potential malware or should we power down completely first? One of the things I like about my Draytek routers is they can have uptimes of months or years without issues but maybe I shouldn't be leaving them going that long... :shock: (normally my routers only get rebooted during firmware upgrades or power cuts)

Please Log in or Create an account to join the conversation.

More
03 Jul 2022 17:01 #101330 by aimdev
Replied by aimdev on topic Re: ZuoRAT exploit
I informed Draytek UK via email on 29-Jun-2022, and I received a message that it would be passed on to the relevant team.
Included was the link identifying the issue.
They are aware of the issue.

Please Log in or Create an account to join the conversation.

More
03 Jul 2022 19:50 #101331 by chainsawdude
Replied by chainsawdude on topic Re: ZuoRAT exploit
I read somewhere (bleepingcomputer) that ZuoRAT uses known vulnerabilities that have been patched. If so then it could just be a matter of ensuring we are using the latest firmware.
In anycase I would like Draytek to say so, but the chances are that Draytek don't have enough information at present. (I don't think the security researchers are 100% certain of the details at this point)

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami