Experts Insight On A Mysterious Hacker Group Is Eavesdropping On Corporate Email And FTP Traffic

Since at least early December 2019, a mysterious hacker group has been taking over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks. In a report published on the blog of its network security division Netlab, Qihoo said its researchers detected two different threat actors, each exploiting a different zero-day vulnerability in DrayTek Vigor — load-balancing routers and VPN gateways typically deployed on enterprise networks. The hackers abused a vulnerability in the RSA-encrypted login mechanism of DrayTek devices to hide malicious code inside the router’s username login field. When a DrayTek router received and then decrypted the boobytrapped RSA-encrypted login data, it ran the malicious code and granted the hackers control over the router. Instead of abusing the device to launch DDoS attacks or re-route traffic as part of a proxy network, the hackers turned into a spy-box. Researchers say the hackers deployed a script that recorded traffic coming over port 21 (FTP – file transfer), port 25 (SMTP – email), port 110 (POP3 – email), and port 143 (IMAP – email).

Experts Comments

March 31, 2020
James McQuiggan
Security Awareness Advocate
KnowBe4
It's a common rule of thumb in cybersecurity for organizations to be aware of the products utilized for their infrastructure, systems and applications. It's important to make sure they are aware of updates when they become available for those products and to implement a change control process and patch program to fix any known vulnerabilities. With this particular exploit, the developer released an update, so organizations will want to mitigate their risk of an attack by updating their.....Read More
It's a common rule of thumb in cybersecurity for organizations to be aware of the products utilized for their infrastructure, systems and applications. It's important to make sure they are aware of updates when they become available for those products and to implement a change control process and patch program to fix any known vulnerabilities. With this particular exploit, the developer released an update, so organizations will want to mitigate their risk of an attack by updating their routers as soon as possible. With these two zero days, it's like knowing you have burglaries happening in the neighborhood, but are not taking the necessary steps to secure your home, especially when you know the front door is broken.  Read Less
March 31, 2020
Richard Bejtlich
Principal Security Strategist
Corelight
The four TCP ports reported in this story are unencrypted communications channels. There are encrypted alternatives for all of them. If organizations remove these unencrypted protocols from their environment, they would mitigate the consequences of this threat actor's current mode of operation.
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts