Zero-Day bugs in Draytek devices exploited to target enterprise network


Two new zero-day cyber attack campaigns were spotted in the wild targeting enterprise networking devices manufactured by Taiwan-based DrayTek.

The vulnerabilities which were discovered by the security researchers at Qihoo 360’s NetLab are two critical remote command injection vulnerabilities tracked as CVE-2020-8515.

It was reported that at least two separate groups of hackers have exploited these flaws that affects the DrayTek Vigor enterprise switches, load-balancers, routers and VPN gateway devices to eavesdrop on network traffic and install backdoors.

The zero-day attacks were started almost last year end and are potentially still ongoing against thousands of publicly exposed DrayTek switches, Vigor 2960, 3900, 300B devices which are not yet patched with the latest firmware updates released last month.

The zero-day vulnerabilities can be exploited by any unauthorized remote attackers to inject and execute arbitrary commands on the system.

As per the report, the two 0-day vulnerability command injection points are keyPath and rtick, located in the /www/cgi-bin/mainfunction.cgi, and the corresponding Web Server program is /usr/sbin/lighttpd.”

The hacking groups are not yet specified but the NetLab researchers confirmed that the first group simply spied on the network traffic and the second group used rtick command injection vulnerability to create:

  • the web-session backdoor that never expires,
  • SSH backdoor on TCP ports 22335 and 32459,
  • system backdoor account with user “wuwuhanhan” and password “caonimuqin.”

Those users who have recently installed the patched firmware or are installing now must note that it won’t remove backdoor accounts automatically in case you are already compromised.

The DrayTek Vigor users are recommended to check and update their firmware regularly and check whether there is a tcpdump process, SSH backdoor account, Web Session backdoor, etc. on their systems.

The company advises that those users who have enabled remote access on the router must disable it if not required and use an access control list if possible.

All  the affected users must install the latest firmware updates in order to completely protect their valuable networks against malware and attacks..

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Chubb Cyber insurer affected by Maze ransomware attack

    Previous article

    Local news sites used to install spyware on iPhones

    Next article

    You may also like


    Leave a reply

    Your email address will not be published. Required fields are marked *