Since at least December 4, 2019, two separate hacker groups have been exploiting two critical remote command injection vulnerabilities in malicious campaigns targeting enterprise-grade networking devices manufactured by Taiwan-based DrayTek, cybersecurity researchers from Qihoo 360's NetLab revealed.
According to the report, threat actors leveraged the CVE-2020-8515 flaw impacting DrayTek Vigor enterprise switches, load-balancers, routers and VPN gateway devices to conduct a series of attacks, including snooping on device’s network traffic, running SSH services on high ports, creating system backdoor accounts, and even creating a specific Malicious Web Session backdoor.
The vulnerabilities in question can be exploited by an unauthorized remote attacker to inject and execute arbitrary commands on the system.
"The two 0-day vulnerability command injection points are keyPath and rtick, located in the /www/cgi-bin/mainfunction.cgi, and the corresponding Web Server program is /usr/sbin/lighttpd," according to the researchers.
The NetLab team has not attributed attacks to any particular hacker group codenaming the threat actors only as “Group A” and “Group B”.
While the first group used keyPath command injection vulnerability to download and execute a script designed to eavesdrop on the network traffic, the second one used rtick command injection vulnerability to create two sets of Web Session backdoors, SSH backdoors, and a system backdoor account “wuwuhanhan:caonimuqin”.
The researchers said attacks have been observed against DrayTek Vigor 2960, 3900, and 300B.
After Qihoo has informed DrayTek about ongoing attacks the manufacturer has released a security bulletin and the latest firmware fix.