Experts of the Chinese company Qihoo 360 published a reportin which they warned that since December 2019, unknown hacker groups have been hacking DrayTek corporate routers to listen for FTP traffic and email inside corporate networks. According to experts, at least two groups use different 0-day vulnerabilities in DrayTek Vigor devices (load-balanced routers and VPN gateways commonly used in corporate networks). So, according to analysts, attacks are observed on devices DrayTek Vigor 2960 , 3900 and 300B.
The first group, which the researchers designated as “Group A,” demonstrates more complex tactics. These intruders have been operating since December 4, 2019 and abuse the vulnerability in the RSA encrypted login mechanism. Thus, they hide the malicious code in the username input field. When the DrayTek router receives and then decrypts such credentials, it launches malicious code, and hackers completely take control of the device.
But instead of traditionally using a compromised device to organize DDoS attacks or proxy traffic, hackers use it as a tool for espionage and intelligence. So, the researchers write that the attackers from group A deploy a script on the devices that records all the traffic that goes through port 21 (FTP, file transfer), port 25 (SMTP, email), port 110 (POP3, email) and port 143 (IMAP, email). Then, every Monday, Wednesday, and Friday at 00:00, this script downloads all the recorded traffic to the remote server.
Also, DrayTek devices are attacked by the second group, which the researchers designated as "group B". This group used another zero-day vulnerability, but the hackers did not discover it themselves. This 0-day was described in a message dated January 26, 2020 on the Skull Army blog, and the hackers began exploiting the problem two days later.
According to Qihoo 360, this group uses the second zero-day problem to execute code: they use an error in the rtick process to create accounts on hacked routers. What exactly happens to these accounts after creation is still unknown.
After detecting the attacks, the Chinese company experts notified the DrayTek engineers about both problems, however, their first warning was sent on the wrong channel, and the DrayTek staff did not notice it. After the attacks of group B, in January of this year, the manufacturer still “heard” the experts and on February 10 released fixed firmware versions, even for devices whose support has already been discontinued.
Nevertheless, far from all were able to install the updates. According to the BinaryEdge search engine, more than 978,000 DrayTek Vigor devices can now be found on the Internet, and researchers say about 100,000 of these, still have vulnerable firmware versions.