Hackers Have Been Actively Exploiting DrayTek Equipment Zero Days

  • DrayTek equipment was under active exploitation between December 2019 and February 2020.
  • The network equipment vendor has released a fixing firmware update and advised everyone to apply it.
  • Two individual hacking groups exploited the flaw, one for eavesdropping and the other for backdoor planting.

Researchers of the Qihoo 360 NetLab report that at least two separate hacking groups are actively exploiting zero-day flaws that affect various DrayTek network devices. The associated vulnerability that was assigned the identifier “CVE-2020-8515” concerns the possibility of launching remote code execution (RCE) attacks as root via shell metacharacters to the cgi-bin/mainfunction.cgi URI, without having to authenticate as the admin.

DrayTek is a Taiwan-based manufacturer of CPE (Customer Premises Equipment) products that are used by companies and organizations from around the world. A security expert who searched on Shodan back in January found 710,029 Draytek host deployments globally. The affected DrayTek products include enterprise switches, load-balancers, routers, and VPN gateway devices using older firmware versions. Simply put, the attackers can exploit the flaw to eavesdrop on the network traffic, run SSH services on high ports, and create web session and system backdoor accounts.

The researchers report that they first noticed these attacks on December 4, 2019, and they disclosed it on Twitter towards the end of the year without mentioning the victimized vendor. On February 10, 2020, DrayTek released firmware version 1.5.1, which plugged the RCE hole. The list of affected products with the vulnerable firmware versions is given below.

  • Vigor 2960 < v1.5.1
  • Vigor 300B < v1.5.1
  • Vigor 3900 < v1.5.1
  • Vigor Switch 20P2121 <= v2.3.2
  • Vigor Switch 20G1280 <= v2.3.2
  • Vigor Switch 20P1280 <= v2.3.2
  • Vigor Switch 20G2280 <= v2.3.2
  • Vigor Switch 20P2280 <= v2.3.2

The 360 NetLabs report names the hackers as “Attack Group A” and “Attack Group B,” so there has been no specific attribution. The first actor executed a script used to eavesdrop all network interfaces on the target DrayTek Vigor device, listening on the ports 21, 25, 110, and 143. A crontab process would then upload the captured network traffic packets three times a week. The second actor went a step further, planting two sets of Web Session backdoors that never expire, SSH backdoors on TCP, and a system backdoor account. The Web Session backdoor is setting a “updatetime” parameter to “0”, and the “Auto-Logout” to “disable.”

Source: NetLab360 Blog

To mitigate this risk, you are advised to apply the firmware updates as soon as possible and then check for any backdoors in your systems. Also, the presence of a tcpdump process would indicate that you’re being exploited. If upgrading the firmware is impossible for any reason, you should temporarily disable remote admin access and SSL VPN, and use an access control list instead.



Mob Psycho 100 Season 3: Release Date, Teaser, Poster and Where to Watch!

Mob Psycho 100 season 3 has finally been confirmed by the series’ official Twitter account, along with the release of a new...

GPSD Bugs Set to Roll Back Clocks to 2002 on Sunday

A GPSD bug will make apps roll back to 2002 on Sunday, 24th November 2021.The bug comes from a mistaken code put...

Ransomware Attacks Perpetrated via Vulnerability in BillQuick Billing Software

A critical vulnerability that allowed remote code injection was discovered in multiple versions of the relatively popular BillQuick billing software.The exploit comes...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari