From December 2019, 360Netlab Threat Detection System has observed two mysterious hacker group that was exploiting zero-day in DrayTek Vigor enterprise routers and switch devices to carry out different attacks such as creating a backdoor, eavesdropping on the client’s traffic, running SSH services on high ports.
Eavesdropping which is also known as sniffing or where someone sitting on the network which is capturing all the traffic for later analysis it is a type of reconnaissance.
STEALING FTP AND EMAIL TRAFFIC-Group A
Among the two groups, according to Qihoo the group A exploited a vulnerability in the RSA-encrypted login mechanism of the router’s DrayTek devices where they hide their malicious code in the router’s username login field.
When the router received and decrypted the secure RSA encryption it ran a malicious code that let the hackers take over the control of the routers. Most of the hackers after taking control over a router will launch a DDoS or redirect network traffic by changing the DNS setting but this group has done something weird they converted it into a spy-box.
After that, the hackers deployed a script that eavesdrops all the traffic over the ports 21(FTP), 25((SMTP), 143(IMAP), and 110(POP3).
All four protocols are cleartext. It’s obvious they’re logging traffic to collect login credentials for FTP and email accounts. Those creds are flying unencrypted over the network. They’re easy pickings.The Researcher told.
A detailed report of the vulnerability is published here.
CREATING BACKDOOR ACCOUNTS- Group B
Another mysterious hacker group used the zero-day RCE vulnerability that was described in the Skull Army blog in January and two days later hackers began exploiting the vulnerability in wild.
The hackers created an SSH backdoor on TCP / 22335 and TCP / 32459 and a system backdoor account.
According to Qihoo attackers used the zero-day remote code execution in the DrayTek devices by exploiting a bug in the “rtick” by creating a backdoor vulnerability.
After that Qihoo researchers have notified DrayTek company about the zero-day and on February 10 DreyTek released firmware patches and they also released the firmware patch for the discontinued router models.
Using the BinaryEdge search engine there were more than 978,000 DrayTek Vigor devices on the internet, although, Qihoo says that only around 100,000 of these are running a firmware version that’s vulnerable to attacks.ZDNet found