Threat actors have been exploiting a couple of vulnerabilities affecting some DrayTek enterprise routers in attacks that started before patches were released by the vendor.
DrayTek is a Taiwan-based manufacturer of networking equipment, including routers, firewalls, broadband customer premises equipment (CPE), and VPN devices.
In early December 2019, researchers at the Network Security Research Lab of Chinese cybersecurity firm Qihoo 360 noticed that some DrayTek Vigor routers had been targeted in attacks exploiting a vulnerability which at the time had a zero-day status. Researchers then noticed on January 28 that a second zero-day flaw affecting DrayTek Vigor routers had been exploited in attacks by a different threat group.
The vulnerabilities, tracked as CVE-2020-8515, can be exploited for command injection and they are related to the rtick and keyPath fields. Qihoo 360 researchers disclosed technical details about the flaws and the attacks on Friday.
Qihoo 360 unsuccessfully attempted to notify DrayTek of the attacks exploiting the first vulnerability in early December. However, the vendor said it only became aware of the flaws and exploitation attempts on January 30, after another researcher independently discovered one of the vulnerabilities. DrayTek patched the security holes on February 6 with the release of firmware version 1.5.1.
According to DrayTek, the flaws impact its Vigor300B load balancing routers, its Vigor2960 VPN gateways, and its Vigor3900 routers. The Vigor3900 routers have been discontinued, but the vendor has still released patches for these devices.
“If you have remote access enabled on your router, disable it if you don’t need it, and use an access control list if possible. If you have not updated the firmware yet, disable remote access (admin) and SSL VPN. The ACL does not apply to SSL VPN connections (Port 443) so you should also temporarily disable SSL VPN until you have updated the firmware,” DrayTek said in an advisory published on February 10.
According to Qihoo 360, one threat group exploited the keyPath command injection vulnerability to download a script to affected devices. This script then fetched and executed a different script that allowed the attackers to eavesdrop on the victim’s network, specifically targeting ports associated with FTP and email protocols such as SMTP, POP3, and IMAP. The hackers collected data which they uploaded to their server every Monday, Wednesday and Friday.
The second threat actor exploited the rtick command injection flaw to create SSH backdoors.
A Shodan search for each of the impacted products currently shows a few thousand results across the world, but some of these internet-exposed devices are already running a patched version of the firmware.
This is not the first time malicious actors have targeted DrayTek routers using zero-day vulnerabilities. Back in 2018, the vendor released firmware updates for many of its Vigor routers after hackers had started exploiting a weakness to change the DNS settings of impacted devices.