Original Post from Security Affairs
Author: Pierluigi Paganini
Experts from Qihoo 360’s NetLab recently spotted two zero-day campaigns targeting DrayTek enterprise-grade networking devices.
Since December 2019, researchers from Qihoo 360 observed two different attack groups that are employing two zero-days exploits to take over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks.
While Netlab360 has found
“From December 4, 2019, 360Netlab Threat Detection System has observed two different attack groups using two 0-day vulnerabilities of DrayTek Vigor enterprise routers and switch devices to conduct a series of attacks, including eavesdropping on device’s network traffic, running SSH services on high ports, creating system backdoor accounts, and even creating a specific Malicious Web Session backdoor.” reads the report published by Qihoo 360.
The two critical remote command injection vulnerabilities tracked as CVE-2020-8515 affect DrayTek Vigor network devices, including enterprise switches, routers, load-balancers, and VPN gateway.
On February 10, 2020, the Taiwanese manufacturer DrayTek issued a security bulletin to address the vulnerability with the release of the firmware program 1.5.1.
“On Jan 30th we became aware of a possible exploit of the Vigor2960/3900/300B related to the WebUI. It was identified during testing and reported to us. On the 6th Feb, we released an updated firmware to address this issue.” reads the security bulletin.
“You should upgrade as soon as possible to 1.5.1 firmware or later. If you have remote access enabled on your router, disable it if you don’t need it, and use an access control list if possible. If you have not updated the firmware yet, disable remote access (admin) and SSL VPN. The ACL does not apply to SSL VPN connections (Port 443) so you should also temporarily disable SSL VPN until you have updated the firmware.
The issue only affects the Vigor 3900 / 2960 / 300B and is not known to affect any other DrayTek products.”
The two zero-day vulnerability command injection points are
According to the experts, while the first group of hackers exploited the issues to spy on the network traffic.
The second group of hackers employed the
create2 sets of Web Session backdoorsthat never expires in the file /var/session . json; createSSH backdoorson TCP / 22335 and TCP / 32459; adda system backdoor account wuwuhanhan:caonimuqin.
Experts pointed out that even after reinstalling the firmware update, it won’t remove backdoor accounts created by attackers.
“We recommend that DrayTek Vigor users check and update their firmwares in a timely manner, and check whether there is a
“We recommend the following
Experts published a list of Indicators of Compromise (IoCs) that could be checked to determine
The following firmware versions are impacted:
- Vigor2960 < v1.5.1
- Vigor300B < v1.5.1
- Vigor3900 < v1.5.1
- VigorSwitch20P2121 <= v2.3.2
- VigorSwitch20G1280 <= v2.3.2
- VigorSwitch20P1280 <= v2.3.2
- VigorSwitch20G2280 <= v2.3.2
- VigorSwitch20P2280 <= v2.3.2
Technical details on the vulnerabilities have been described here by an independent researcher.
The post Hackers target zero-day flaws in enterprise Draytek network devices appeared first on Security Affairs.
Go to Source
Author: Pierluigi Paganini