Since December 2019, a mysterious hacker group had taken over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks.
Two different threat actors exploited a different zero-day vulnerability in DrayTek Vigor.
Of the two hacker groups, the first which was identified as "Attack Group A", appeared to be the more sophisticated of the two.
Attack Group A hacked the RSA-encrypted login mechanism of DrayTek devices to hide malicious code inside the router's username login field granting the hackers control over the router.
The hackers deployed a script that recorded traffic coming over port 21 (FTP - file transfer), port 25 (SMTP - email), port 110 (POP3 - email), and port 143 (IMAP - email).
DrayTek devices had also been abused by a second group, "Attack Group B."
The hackers began exploiting it two days later.
The hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the "rtick" process to create backdoor accounts on the hacked routers.
"id": "DRA139221222",
"linkid": "draytek-corp-",
"type": "Vulnerability",
"date": "12/2019",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"