Experts Insight On A Mysterious Hacker Group Is Eavesdropping On Corporate Email And FTP Traffic

Since at least early December 2019, a mysterious hacker group has been taking over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks. In a report published on the blog of its network security division Netlab, Qihoo said its researchers detected two different threat actors, each exploiting a different zero-day vulnerability in DrayTek Vigor — load-balancing routers and VPN gateways typically deployed on enterprise networks. The hackers abused a vulnerability in the RSA-encrypted login mechanism of DrayTek devices to hide malicious code inside the router’s username login field. When a DrayTek router received and then decrypted the boobytrapped RSA-encrypted login data, it ran the malicious code and granted the hackers control over the router. Instead of abusing the device to launch DDoS attacks or re-route traffic as part of a proxy network, the hackers turned into a spy-box. Researchers say the hackers deployed a script that recorded traffic coming over port 21 (FTP – file transfer), port 25 (SMTP – email), port 110 (POP3 – email), and port 143 (IMAP – email).


EXPERTS COMMENTS
James McQuiggan, Security Awareness Advocate,  KnowBe4
March 31, 2020
It's important to make sure they are aware of updates when they become available for those products.
It's a common rule of thumb in cybersecurity for organizations to be aware of the products utilized for their infrastructure, systems and applications. It's important to make sure they are aware of updates when they become available for those products and to implement a change control process and patch program to fix any known vulnerabilities. With this particular exploit, the developer release ....
[Read More >>]
Richard Bejtlich , Principal Security Strategist,  Corelight
March 31, 2020
There are encrypted alternatives for all of them.
The four TCP ports reported in this story are unencrypted communications channels. There are encrypted alternatives for all of them. If organizations remove these unencrypted protocols from their environment, they would mitigate the consequences of this threat actor's current mode of operation. ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article