Show vulnerabilities with patch / with exploit
30 March 2020

At least two hacker groups exploit critical flaws in DrayTek devices to target enterprises


At least two hacker groups exploit critical flaws in DrayTek devices to target enterprises

Since at least December 4, 2019, two separate hacker groups have been exploiting two critical remote command injection vulnerabilities in malicious campaigns targeting enterprise-grade networking devices manufactured by Taiwan-based DrayTek, cybersecurity researchers from Qihoo 360's NetLab revealed.

According to the report, threat actors leveraged the CVE-2020-8515 flaw impacting DrayTek Vigor enterprise switches, load-balancers, routers and VPN gateway devices to conduct a series of attacks, including snooping on device’s network traffic, running SSH services on high ports, creating system backdoor accounts, and even creating a specific Malicious Web Session backdoor.

The vulnerabilities in question can be exploited by an unauthorized remote attacker to inject and execute arbitrary commands on the system.

"The two 0-day vulnerability command injection points are keyPath and rtick, located in the /www/cgi-bin/mainfunction.cgi, and the corresponding Web Server program is /usr/sbin/lighttpd," according to the researchers.

The NetLab team has not attributed attacks to any particular hacker group codenaming the threat actors only as “Group A” and “Group B”.

While the first group used keyPath command injection vulnerability to download and execute a script designed to eavesdrop on the network traffic, the second one used rtick command injection vulnerability to create two sets of Web Session backdoors, SSH backdoors, and a system backdoor account “wuwuhanhan:caonimuqin”.

The researchers said attacks have been observed against DrayTek Vigor 2960, 3900, and 300B.

After Qihoo has informed DrayTek about ongoing attacks the manufacturer has released a security bulletin and the latest firmware fix.


Back to the list

Latest Posts

Vulnerability summary for the week: May 29, 2020

Vulnerability summary for the week: May 29, 2020

Weekly vulnerability digest.
29 May 2020
Japan defense data may have leaked after cyber attack on Japanese telecommunications giant NTT

Japan defense data may have leaked after cyber attack on Japanese telecommunications giant NTT

NTT Communications said hackers gained access to its internal network and stole information on 621 customers.
29 May 2020
Sandworm hacking group exploiting Exim flaw since at least 2019

Sandworm hacking group exploiting Exim flaw since at least 2019

The NSA is urging system administrators to update Exim by installing version 4.93 or newer to mitigate the vulnerability.
29 May 2020