Pierluigi Paganini March 28, 2020

Experts from Qihoo 360’s NetLab recently spotted two zero-day campaigns targeting DrayTek enterprise-grade networking devices.

Since December 2019, researchers from Qihoo 360 observed two different attack groups that are employing two zero-days exploits to take over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks.

While Netlab360 has found about ~100,000 devices online, independent researchers speculate the number could be higher.

“From December 4, 2019, 360Netlab Threat Detection System has observed two different attack groups using two 0-day vulnerabilities of DrayTek Vigor enterprise routers and switch devices to conduct a series of attacks, including eavesdropping on device’s network traffic, running SSH services on high ports, creating system backdoor accounts, and even creating a specific Malicious Web Session backdoor.” reads the report published by Qihoo 360.

The two critical remote command injection vulnerabilities tracked as CVE-2020-8515 affect DrayTek Vigor network devices, including enterprise switches, routers, load-balancers, and VPN gateway.

On February 10, 2020, the Taiwanese manufacturer DrayTek issued a security bulletin to address the vulnerability with the release of the firmware program 1.5.1.

“On Jan 30th we became aware of a possible exploit of the Vigor2960/3900/300B related to the WebUI. It was identified during testing and reported to us. On the 6th Feb, we released an updated firmware to address this issue.” reads the security bulletin.

“You should upgrade as soon as possible to 1.5.1 firmware or later. If you have remote access enabled on your router, disable it if you don’t need it, and use an access control list if possible. If you have not updated the firmware yet, disable remote access (admin) and SSL VPN. The ACL does not apply to SSL VPN connections (Port 443) so you should also temporarily disable SSL VPN until you have updated the firmware.

The issue only affects the Vigor 3900 / 2960 / 300B and is not known to affect any other DrayTek products.”

The attacks are still ongoing, hackers are attempting to compromise publicly exposed DrayTek enterprise switches, Vigor 2960, 3900, 300B devices that haven’t yet been patched.

The two zero-day vulnerability command injection points are keyPath and rtick, which are located in the /www/cgi-bin/mainfunction.cgi, and the corresponding Web Server program is /usr/sbin/lighttpd.

According to the experts, while the first group of hackers exploited the issues to spy on the network traffic.

The second group of hackers employed the rtick command injection vulnerability to:

• create 2 sets of Web Session backdoors that never expires in the file /var/session.json;
• create SSH backdoors on TCP / 22335 and TCP / 32459;
• add a system backdoor account wuwuhanhan:caonimuqin.

Experts pointed out that even after reinstalling the firmware update, it won’t remove backdoor accounts created by attackers.

“We recommend that DrayTek Vigor users check and update their firmwares in a timely manner, and check whether there is a tcpdump process, SSH backdoor account, Web Session backdoor, etc on their systems.” continues the experts.

“We recommend the following IoCs to be monitored and blocked on the networks where it is applicable.”

Experts published a list of Indicators of Compromise (IoCs) that could be checked to determine whether a device has been compromised.

The following firmware versions are impacted:

• Vigor2960 < v1.5.1
• Vigor300B < v1.5.1
• Vigor3900 < v1.5.1
• VigorSwitch20P2121 <= v2.3.2
• VigorSwitch20G1280 <= v2.3.2
• VigorSwitch20P1280 <= v2.3.2
• VigorSwitch20G2280 <= v2.3.2
• VigorSwitch20P2280 <= v2.3.2

Technical details on the vulnerabilities have been described here by an independent researcher.

Pierluigi Paganini

(SecurityAffairs – DrayTek, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]