Since at least early December 2019, a mysterious hacker group has been taking over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks. In a report published on the blog of its network security division Netlab, Qihoo said its researchers detected two different threat actors, each exploiting a different zero-day vulnerability in DrayTek Vigor — load-balancing routers and VPN gateways typically deployed on enterprise networks. The hackers abused a vulnerability in the RSA-encrypted login mechanism of DrayTek devices to hide malicious code inside the router’s username login field. When a DrayTek router received and then decrypted the boobytrapped RSA-encrypted login data, it ran the malicious code and granted the hackers control over the router. Instead of abusing the device to launch DDoS attacks or re-route traffic as part of a proxy network, the hackers turned into a spy-box. Researchers say the hackers deployed a script that recorded traffic coming over port 21 (FTP – file transfer), port 25 (SMTP – email), port 110 (POP3 – email), and port 143 (IMAP – email).
It\’s a common rule of thumb in cybersecurity for organizations to be aware of the products utilized for their infrastructure, systems and applications. It\’s important to make sure they are aware of updates when they become available for those products and to implement a change control process and patch program to fix any known vulnerabilities.
With this particular exploit, the developer released an update, so organizations will want to mitigate their risk of an attack by updating their routers as soon as possible. With these two zero days, it\’s like knowing you have burglaries happening in the neighborhood, but are not taking the necessary steps to secure your home, especially when you know the front door is broken.
The four TCP ports reported in this story are unencrypted communications channels. There are encrypted alternatives for all of them. If organizations remove these unencrypted protocols from their environment, they would mitigate the consequences of this threat actor\’s current mode of operation.