Posted on March 28, 2020 at 3:18 PM
Chinese security outfit Qihoo 360 revealed today that a mysterious hacker syndicate has been eavesdropping on email and FTP traffic inside cooperate networks. The security firm says the hacking syndicate is using the zero-day DrayTek enterprise router to perpetuate their acts.
According to a recent report published by the network security section of Qihoo, there were two different threat actors, as each of them explored different zero-day weakness in the DrayTek Vigor. These include VPN gateways and load-balancing routers which are usually deployed on enterprise networks.
The first group is more sophisticated
From the report, the first group of attackers appears to be more dangerous and sophisticated.
Qihoo revealed that it discovered the group on its radar on December 4, after they exposed a highly sophisticated attack on DrayTek devices.
The security outfit pointed out that the group hid malicious code in the DrayTek devices username login section, which exploited the vulnerability in the RSA-encrypted login protocol.
As soon as the DrayTek router acknowledged and decrypted the vulnerable RSA-encrypted login data, the malicious code found its way into the system, which gives the hacker complete control over the affected router.
Hackers turning into a spy-box
The unusual thing about this attack is the fact that the hackers were not interested in the usual attacking methods like rerouting traffic or launching a DDoS attack. Instead, they became a spy-box.
Qihoo pointed out that the hackers installed a script that recorded traffic from IMAP-email (Port 143), POP3-email (port 110), SMTP – email (port 25), and FTP – file transfer (port 21.
Afterward, the script uploads all the deployed traffic to the remote server on Mondays, Wednesdays, and Fridays.
The security experts could not understand why the hackers were taking email and FTP traffic. However, one of the security researchers revealed that the operations of the hackers have a close resemblance to a classic reconnaissance activity.
He said, “All four protocols are cleartext. It’s obvious they’re logging traffic to collect login credentials for FTP and email accounts.”
The researcher, who wanted to remain anonymous, said the credentials are easy pickings because they are all moving over the network unencrypted.
Also, other security agencies have noticed the campaigns of the hacking syndicate. But the first hacking group does not share any malware samples or server infrastructure with other known hacking groups, which is why the security firms are treating it as a new group.
Second attack group is creating backdoor accounts
Although the second attack group appears to be less sophisticated, it is also causing damage by creating a backdoor account.
The group has also abused DrayTek devices, as discovered by the Qihoo security outfit.
The hacking syndicate utilizes different zero-day, but it wasn’t first discovered by them. Rather, it was initially described by the Skull Army blog on January 26 before the hackers started exploiting the vulnerability two days later.
According to Qihoo, the second hackers utilized the second zero-day code on the susceptible DrayTek devices and exploited a vulnerability in the “rtick” through backdoor accounts. But it’s not clear what the hackers did to the accounts.
Updates for the vulnerability was released last month
Qihoo pointed out that when its researchers notified DrayTek about the zero-days, they did not receive their first alert because it was delivered through a wrong channel.
But the vendor eventually received the second massage and released patches for the vulnerability on February 10. The vendor also went ahead to release updates for a discontinued router model.
Qihoo pointed out that the exploitations were observed on almost all versions of DrayTek Vigor, including 300B, 3900, and 2960 versions.
Currently, there are over 900,000 DrayTek Vigor devices online, but Qihoo says that about 100,000 of the devices are running firmware versions that are susceptible to attacks.
The researchers have pointed out that those who have applied the patches to their devices are no longer vulnerable to exploitation by both the first and second hacking group.