DrayTek Routers

Threat actors are exploiting a zero-day vulnerability in DrayTek routers and changing the DNS settings to communicate with a server at 38[.]134[.]121[.]95. The motivation for changing users’ DNS settings is unknown; however, threat actors may be changing the settings in order to conduct Man-in-the-Middle (MitM) attacks and redirect users to fraudulent websites intended to appear as a legitimate site. There are approximately 6,720 DrayTek devices in United States that may be vulnerable. The NJCCIC recommends users and administrators of DrayTek routers review the DrayTek Advisories (12) for more information and a list of affected devices, check your current DNS settings following the instructions provided, and apply the firmware update as soon as it is made available.