DrayTek Corp.

Since December 2019, a mysterious hacker group had taken over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks.

Two different threat actors exploited a different zero-day vulnerability in DrayTek Vigor.

Of the two hacker groups, the first which was identified as "Attack Group A", appeared to be the more sophisticated of the two.

Attack Group A hacked the RSA-encrypted login mechanism of DrayTek devices to hide malicious code inside the router's username login field granting the hackers control over the router.

The hackers deployed a script that recorded traffic coming over port 21 (FTP - file transfer), port 25 (SMTP - email), port 110 (POP3 - email), and port 143 (IMAP - email).

DrayTek devices had also been abused by a second group, "Attack Group B."

The hackers began exploiting it two days later.

The hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the "rtick" process to create backdoor accounts on the hacked routers.

Source: https://www.zdnet.com/article/a-mysterious-hacker-group-is-eavesdropping-on-corporate-ftp-and-email-traffic/

"id": "DRA139221222",
"linkid": "draytek-corp-",
"type": "Vulnerability",
"date": "12/2019",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"