Chinese security firm Qihoo 360 reported that since December 2019, a miscreants group has been hacking into DrayTek enterprise routers to record and spy on FTP ( File Transfer Protocol) and email traffic inside the corporate network.
Netlab the network security division of Qihoo published a report saying, they detected two different groups, each one exploiting a zero-day vulnerability in DrayTek Vigor-
- Attack Group A – using load-balancing routers and
- Attack Group B – using VPN gateways.
Qihoo did warn DrayTek about their zero-day vulnerability but the message was sent to the incorrect receiver and could not reach DrayTek.
Although the company did learn about the zero-days but only after group B attacks in January and released the patches on February 10. The attacked models are discontinued routers, still, DrayTek released their patches as soon as they could.
Qihoo reported the attacked models – DrayTek Vigor 2960, 3900, and 300B and said only 10,000 of these (active number) are running the vulnerable firmware version.
The Attack Groups
Amongst the two groups, Attack group A is quite ahead and advanced.
It exploited a vulnerability in the RSA-encrypted login mechanism of DrayTek routers to insert malicious code in the username login fields through which the hackers could control the router.
Now, the hackers could have used this access to launch DDos attacks or more but they used it as a spy device to record traffic coming over FTP and emails.
The recorded scripts were then uploaded to a remote server every Monday, Wednesday, and Friday at 00:00.Zdnet reports they recorded the data to access the login credentials of FTP and corporate email accounts.
Qihoo named the second group of hackers as “Attack Group B”.
The second group used a different zero-day vulnerability, first disclosed by Skull Army blog in a 26 Jan post. The bad actors read it from the blog and began exploiting it in mere two days.
Zdnet reports, “Per Qihoo, the hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the “rtick” process to create backdoor accounts on the hacked routers. What they did with those accounts remains unknown”.