Experts from Qihoo 360’s NetLab recently spotted two zero-day campaigns targeting DrayTek enterprise-grade networking devices.

Since December 2019, researchers from Qihoo 360 observed two different attack groups that are employing two zero-days exploits to take over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks.

While Netlab360 has found about ~100,000 devices online, independent researchers speculate the number could be higher.

#0-day Since 2019-12-04 08:22:29 (UTC), we have been witnessing ongoing 0 day attack targeting a network CPE vendor (not the big players, but there are about ~100,000 devices online according to public available data). The attacker is snooping on port 21,25,143,110 (1/2) — 360 Netlab (@360Netlab) December 25, 2019

#0-day And sending the captured files to a receiver at 103.82.143.51. Due to the real impact here, we suggest reader looking for anything going to that IP on their network and take necessary actions. (2/2) — 360 Netlab (@360Netlab) December 25, 2019

“From December 4, 2019, 360Netlab Threat Detection System has observed two different attack groups using two 0-day vulnerabilities of DrayTek Vigor enterprise routers and switch devices to conduct a series of attacks, including eavesdropping on device’s network traffic, running SSH services on high ports, creating system backdoor accounts, and even creating a specific Malicious Web Session backdoor.” reads the report published by Qihoo 360.

The two critical remote command injection vulnerabilities tracked as CVE-2020-8515 affect DrayTek Vigor network devices, including enterprise switches, routers, load-balancers, and VPN gateway.

On February 10, 2020, the Taiwanese manufacturer DrayTek issued a security bulletin to address the vulnerability with the release of the firmware program 1.5.1.

“On Jan 30th we became aware of a possible exploit of the Vigor2960/3900/300B related to the WebUI. It was identified during testing and reported to us. On the 6th Feb, we released an updated firmware to address this issue.” reads the security bulletin.

“You should upgrade as soon as possible to 1.5.1 firmware or later. If you have remote access enabled on your router, disable it if you don’t need it, and use an access control list if possible. If you have not updated the firmware yet, disable remote access (admin) and SSL VPN. The ACL does not apply to SSL VPN connections (Port 443) so you should also temporarily disable SSL VPN until you have updated the firmware.

The issue only affects the Vigor 3900 / 2960 / 300B and is not known to affect any other DrayTek products.”

The attacks are still ongoing, hackers are attempting to compromise publicly exposed DrayTek enterprise switches, Vigor 2960, 3900, 300B devices that haven’t yet been patched.

The two zero-day vulnerability command injection points are keyPath and rtick , which are located in the /www/cgi-bin/mainfunction.cgi, and the corresponding Web Server program is /usr/sbin/ lighttpd .

According to the experts, while the first group of hackers exploited the issues to spy on the network traffic.

The second group of hackers employed the rtick command injection vulnerability to:

create 2 sets of Web Session backdoors that never expires in the file /var/session . json ;

2 sets of Web Session that never expires in the file /var/session ; create SSH backdoors on TCP / 22335 and TCP / 32459;

SSH on TCP / 22335 and TCP / 32459; add a system backdoor account wuwuhanhan:caonimuqin.

Experts pointed out that even after reinstalling the firmware update, it won’t remove backdoor accounts created by attackers.

“We recommend that DrayTek Vigor users check and update their firmwares in a timely manner, and check whether there is a tcpdump process, SSH backdoor account, Web Session backdoor , etc on their systems.” continues the experts.

“We recommend the following IoCs to be monitored and blocked on the networks where it is applicable.”

Experts published a list of Indicators of Compromise (IoCs) that could be checked to determine whether a device has been compromised.

The following firmware versions are impacted:

Vigor2960 < v1.5.1

Vigor300B < v1.5.1

Vigor3900 < v1.5.1

VigorSwitch20P2121 <= v2.3.2

VigorSwitch20G1280 <= v2.3.2

VigorSwitch20P1280 <= v2.3.2

VigorSwitch20G2280 <= v2.3.2

VigorSwitch20P2280 <= v2.3.2

Technical details on the vulnerabilities have been described here by an independent researcher.

Pierluigi Paganini