A mysterious hacker group is eavesdropping on corporate email and FTP traffic

Hacker group uses zero-day in DrayTek Vigor enterprise routers and VPN gateways to record network traffic.

DrayTek Vigor

Image: DrayTek, ZDNet

Since at least early December 2019, a mysterious hacker group has been taking over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks, Chinese security firm Qihoo 360 said today.

In a report published on the blog of its network security division Netlab, Qihoo said its researchers detected two different threat actors, each exploiting a different zero-day vulnerability in DrayTek Vigor -- load-balancing routers and VPN gateways typically deployed on enterprise networks.

Attack Group A -- stealing FTP and email traffic

Of the two hacker groups, the first -- identified only as "Attack Group A" -- appears to be, by far, the more sophisticated of the two.

According to Qihoo, the group popped up on their radar on December 4, last year, when they detected a pretty complex attack on DrayTek devices.

Qihoo says Attack Group A abused a vulnerability in the RSA-encrypted login mechanism of DrayTek devices to hide malicious code inside the router's username login field.

When a DrayTek router received and then decrypted the boobytrapped RSA-encrypted login data, it ran the malicious code and granted the hackers control over the router.

Instead of abusing the device to launch DDoS attacks or re-route traffic as part of a proxy network, the hackers turned into a spy-box. Researchers say the hackers deployed a script that recorded traffic coming over port 21 (FTP - file transfer), port 25 (SMTP - email), port 110 (POP3 - email), and port 143 (IMAP - email).

Then, on every Monday, Wednesday, and Friday at 00:00, the script would upload all the recorded traffic to a remote server.

Qihoo researchers didn't speculate why hackers were collecting FTP and email traffic. But speaking to ZDNet over the phone, a security researcher pointed out that this looked like a classic reconnaissance operation.

"All four protocols are cleartext. It's obvious they're logging traffic to collect login credentials for FTP and email accounts," the researcher told ZDNet. "Those creds are flying unencrypted over the network. They're easy pickings."

***The researcher didn't want his name shared for this article as he was not authorized to speak to the press without his employer's PR department approval.

Furthermore, ZDNet also understands from another industry source that the group's hacking campaign has not gone unnoticed and has been kept under observation by other cyber-security firms. However, Attack Group A doesn't share any server infrastructure or malware samples with any other known hacking group -- so this, for now, appears to be a new group.

Attack Group B -- creating backdoor accounts

But DrayTek devices have also been abused by a second group, which Qihoo codenamed "Attack Group B."

This group used a different zero-day, but the hackers didn't discover it themselves. Instead, the zero-day was first described in a January 26 post on the Skull Army blog, and the hackers began exploiting it two days later.

Per Qihoo, the hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the "rtick" process to create backdoor accounts on the hacked routers. What they did with those accounts remains unknown.

Patches released in February

Qihoo said its researchers notified DrayTek about both zero-days once they detected attacks; however, their first alert was sent through an incorrect channel and was never seen by DrayTek's staff.

The vendor did eventually learned of the two zero-days after Group B's attacks in January and released firmware patches on February 10. DrayTek even went out of its way to release a firmware patch for a now-discontinued router model.

According to Qihoo, attacks have been observed against DrayTek Vigor 2960, 3900, and 300B.

Using the BinaryEdge search engine, ZDNet was able to find more than 978,000 DrayTek Vigor devices on the internet, although, Qihoo says that only around 100,000 of these are running a firmware version that's vulnerable to attacks.

draytek-vigor-be.png