DrayTek Corp.

DrayTek Corp.

Since December 2019, a mysterious hacker group had taken over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks.

Two different threat actors exploited a different zero-day vulnerability in DrayTek Vigor.

Of the two hacker groups, the first which was identified as "Attack Group A", appeared to be the more sophisticated of the two.

Attack Group A hacked the RSA-encrypted login mechanism of DrayTek devices to hide malicious code inside the router's username login field granting the hackers control over the router.

The hackers deployed a script that recorded traffic coming over port 21 (FTP - file transfer), port 25 (SMTP - email), port 110 (POP3 - email), and port 143 (IMAP - email).

DrayTek devices had also been abused by a second group, "Attack Group B."

The hackers began exploiting it two days later.

The hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the "rtick" process to create backdoor accounts on the hacked routers.

Source: https://www.zdnet.com/article/a-mysterious-hacker-group-is-eavesdropping-on-corporate-ftp-and-email-traffic/

"id": "DRA139221222",
"linkid": "draytek-corp-",
"type": "Vulnerability",
"date": "12/2019",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.