A mysterious hacker group is eavesdropping on corporate email and FTP traffic

栏目: IT技术 · 发布时间: 3年前

内容简介:Since at least early December 2019, a mysterious hacker group has been taking over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks, Chinese security firm Qihoo 360 said today.In aOf the two hacker groups, the firs

Since at least early December 2019, a mysterious hacker group has been taking over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks, Chinese security firm Qihoo 360 said today.

In a report published on the blog of its network security division Netlab, Qihoo said its researchers detected two different threat actors, each exploiting a different zero-day vulnerability in DrayTek Vigor -- load-balancing routers and VPN gateways typically deployed on enterprise networks.

Attack Group A -- stealing FTP and email traffic

Of the two hacker groups, the first -- identified only as "Attack Group A" -- appears to be, by far, the more sophisticated of the two.

According to Qihoo, the group popped up on their radar on December 4, last year, when they detected a pretty complex attack on DrayTek devices.

Qihoo says Attack Group A abused a vulnerability in the RSA-encrypted login mechanism of DrayTek devices to hide malicious code inside the router's username login field.

When a DrayTek router received and then decrypted the boobytrapped RSA-encrypted login data, it ran the malicious code and granted the hackers control over the router.

But here's where things got weird. Instead of abusing the device to launch DDoS attacks or re-route traffic as part of a proxy network, the hackers turned into a spy-box.

Researchers say the hackers deployed a script that recorded traffic coming over port 21 (FTP - file transfer), port 25 (SMTP - email), port 110 (POP3 - email), and port 143 (IMAP - email).

Then, on every Monday, Wednesday, and Friday at 0:00, the script would upload all the recorded traffic to a remote server.

Qihoo researchers didn't speculate why hackers were collecting FTP and email traffic. But speaking to ZDNet over the phone, a security researcher pointed out that this looked like a classic reconnaissance operation.

"All four protocols are cleartext. It's obvious they're logging traffic to collect login credentials for FTP and email accounts," the researcher told ZDNet. "Those creds are flying unencrypted over the network. They're easy pickings."

***The researcher didn't want his name shared for this article as he was not authorized to speak to the press without his employer's PR department approval.

Furthermore, ZDNet also understands from another industry source that the group's hacking campaign has not gone unnoticed and has been kept under observation by other cyber-security firms. However, Attack Group A doesn't share any server infrastructure or malware samples with any other known hacking group -- so this, for now, appears to be a new group.

Attack Group B -- creating backdoor accounts

But DrayTek devices have also been abused by a second group, which Qihoo codenamed "Attack Group B."

This group used a different zero-day, but the hackers didn't discover it themselves. Instead, the zero-day was first described in a January 26 post on the Skull Army blog , and the hackers began exploiting it two days later.

Per Qihoo, the hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the "rtick" process to create backdoor accounts on the hacked routers. What they did with those accounts remains unknown.

Patches released in February

Qihoo said its researchers notified DrayTek about both zero-days once they detected attacks; however, their first alert was sent through an incorrect channel and was never seen by DrayTek's staff.

The vendor did eventually learned of the two zero-days after Group B's attacks in January and released firmware patches on February 10. DrayTek even went out of its way to release a firmware patch for a now-discontinued router model.

According to Qihoo, attacks have been observed against DrayTek Vigor 2960 , 3900 , and 300B .

Using the BinaryEdge search engine, ZDNet was able to find more than 978,000 DrayTek Vigor devices on the internet, although, Qihoo says that only around 100,000 of these are running a firmware version that's vulnerable to attacks.


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

安全之美

安全之美

Andy Oram、John Viega / 徐 波、沈晓斌 / 机械工业出版社华章公司 / 2011-4-28 / 65.00元

“这本深思熟虑的论文集(《安全之美》)帮助读者摆脱安全领域闪烁着欺骗光芒的心理恐惧,转而欣赏安全的微妙美感。本书描述了安全的阴和阳,以及引人注目的破坏性和闪亮光辉的建设者之间剑拔弩张的气氛。” ——Gary McGraw,Cigital公司CTO,《Software Security》及其他9本书的作者 大多数人不会太关注安全问题,直到他们的个人或商业系统受到攻击。这种发人深省的现象证......一起来看看 《安全之美》 这本书的介绍吧!

JS 压缩/解压工具
JS 压缩/解压工具

在线压缩/解压 JS 代码

HTML 编码/解码
HTML 编码/解码

HTML 编码/解码

Base64 编码/解码
Base64 编码/解码

Base64 编码/解码