Hackers Have Been Actively Exploiting DrayTek Equipment Zero Days

By Bill Toulas / March 28, 2020

Researchers of the Qihoo 360 NetLab report that at least two separate hacking groups are actively exploiting zero-day flaws that affect various DrayTek network devices. The associated vulnerability that was assigned the identifier “CVE-2020-8515” concerns the possibility of launching remote code execution (RCE) attacks as root via shell metacharacters to the cgi-bin/mainfunction.cgi URI, without having to authenticate as the admin.

DrayTek is a Taiwan-based manufacturer of CPE (Customer Premises Equipment) products that are used by companies and organizations from around the world. A security expert who searched on Shodan back in January found 710,029 Draytek host deployments globally. The affected DrayTek products include enterprise switches, load-balancers, routers, and VPN gateway devices using older firmware versions. Simply put, the attackers can exploit the flaw to eavesdrop on the network traffic, run SSH services on high ports, and create web session and system backdoor accounts.

The researchers report that they first noticed these attacks on December 4, 2019, and they disclosed it on Twitter towards the end of the year without mentioning the victimized vendor. On February 10, 2020, DrayTek released firmware version 1.5.1, which plugged the RCE hole. The list of affected products with the vulnerable firmware versions is given below.

The 360 NetLabs report names the hackers as “Attack Group A” and “Attack Group B,” so there has been no specific attribution. The first actor executed a script used to eavesdrop all network interfaces on the target DrayTek Vigor device, listening on the ports 21, 25, 110, and 143. A crontab process would then upload the captured network traffic packets three times a week. The second actor went a step further, planting two sets of Web Session backdoors that never expire, SSH backdoors on TCP, and a system backdoor account. The Web Session backdoor is setting a “updatetime” parameter to “0”, and the “Auto-Logout” to “disable.”


Source: NetLab360 Blog

To mitigate this risk, you are advised to apply the firmware updates as soon as possible and then check for any backdoors in your systems. Also, the presence of a tcpdump process would indicate that you’re being exploited. If upgrading the firmware is impossible for any reason, you should temporarily disable remote admin access and SSL VPN, and use an access control list instead.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: