Since at least early December 2019, a mysterious hacker group has been taking over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks. In a report published on the blog of its network security division Netlab, Qihoo said its researchers detected two different threat actors, each exploiting a different zero-day vulnerability in DrayTek Vigor — load-balancing routers and VPN gateways typically deployed on enterprise networks. The hackers abused a vulnerability in the RSA-encrypted login mechanism of DrayTek devices to hide malicious code inside the router’s username login field. When a DrayTek router received and then decrypted the boobytrapped RSA-encrypted login data, it ran the malicious code and granted the hackers control over the router. Instead of abusing the device to launch DDoS attacks or re-route traffic as part of a proxy network, the hackers turned into a spy-box. Researchers say the hackers deployed a script that recorded traffic coming over port 21 (FTP – file transfer), port 25 (SMTP – email), port 110 (POP3 – email), and port 143 (IMAP – email).