Several undocumented DrayTek Vigor router vulnerabilities have been exploited by ransomware operations to compromise over 300 organizations as part of an attack campaign between August and September 2023, reports SecurityWeek.
Intrusions were initially conducted by the Monstrous Mantis operation, which exfiltrated DrayTek device credentials later shared with its partners Ruthless Mantis, also known as PTI-288, and LARVA-15, also known as Wazawaka, according to an analysis from Forescout. While the REvil-linked Ruthless Mantis leveraged the credentials to facilitate Qilin and Nokoyawa ransomware infections across at least 337 organizations primarily in the Netherlands and the UK, LARVA-15 went on to resell the credentials to other threat actors after compromising organizations in the UK, the Netherlands, Taiwan, France, Germany, Italy, Poland, Taiwan, and Turkey, researchers said. "By selectively sharing decrypted credentials with trusted partners, Monstrous Mantis maintained tight control over victim allocation and ensured operational secrecy. This strategy allowed them to profit indirectly from ransomware attacks executed by their partners while minimizing their own exposure," said the report.