Since at least early December 2019, a mysterious hacker group has been taking over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks, Chinese security firm Qihoo 360 said today.
In a report published on the blog of its network security division Netlab, Qihoo said its researchers detected two different threat actors, each exploiting a different zero-day vulnerability in DrayTek Vigor — load-balancing routers and VPN gateways typically deployed on enterprise networks.
Attack Group A — stealing FTP and email traffic
Of the two hacker groups, the first — identified only as “Attack Group A” — appears to be, by far, the more sophisticated of the two.
According to Qihoo, the group popped up on their radar on December 4, last year, when they detected a pretty complex attack on DrayTek devices.
Qihoo says Attack Group A abused a vulnerability in the RSA-encrypted login mechanism of DrayTek devices to hide malicious code inside the router’s username login field.
When a DrayTek router received and then decrypted the boobytrapped RSA-encrypted login data, it ran the malicious code and granted the hackers control over the router.
But here’s where things got weird. Instead of abusing the device to launch DDoS attacks or re-route traffic as part of a proxy network, the hackers turned into a spy-box.
Researchers say the hackers deployed a script that recorded traffic coming over port 21 (FTP – file transfer), port 25 (SMTP – email), port 110 (POP3 – email), and port 143 (IMAP – email).
Then, on every Monday, Wednesday, and Friday at 0:00, the script would upload all the recorded traffic to a remote server.
Qihoo researchers didn’t speculate why hackers were collecting FTP and email traffic. But speaking to ZDNet over the phone, a security researcher pointed out that this looked like a classic reconnaissance operation.
“All four protocols are cleartext. It’s obvious they’re logging traffic to collect login credentials for FTP and email accounts,” the researcher told ZDNet. “Those creds are flying unencrypted over the network. They’re easy pickings.”
***The researcher didn’t want his name shared for this article as he was not authorized to speak to the press without his employer’s PR department approval.
Furthermore, ZDNet also understands from another industry source that the group’s hacking campaign has not gone unnoticed and has been kept under observation by other cyber-security firms. However, Attack Group A doesn’t share any server infrastructure or malware samples with any other known hacking group — so this, for now, appears to be a new group.
Attack Group B — creating backdoor accounts
But DrayTek devices have also been abused by a second group, which Qihoo codenamed “Attack Group B.”
This group used a different zero-day, but the hackers didn’t discover it themselves. Instead, the zero-day was first described in a January 26 post on the Skull Army blog, and the hackers began exploiting it two days later.
Per Qihoo, the hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the “rtick” process to create backdoor accounts on the hacked routers. What they did with those accounts remains unknown.
Patches released in February
Qihoo said its researchers notified DrayTek about both zero-days once they detected attacks; however, their first alert was sent through an incorrect channel and was never seen by DrayTek’s staff.
The vendor did eventually learned of the two zero-days after Group B’s attacks in January and released firmware patches on February 10. DrayTek even went out of its way to release a firmware patch for a now-discontinued router model.
Using the BinaryEdge search engine, ZDNet was able to find more than 978,000 DrayTek Vigor devices on the internet, although, Qihoo says that only around 100,000 of these are running a firmware version that’s vulnerable to attacks.