By 
Cybersecurity investigators at Qihoo 360’s NetLab today revealed details of two newly spotted zero-day cyberattack drives in the wild aiming at enterprise-grade networking devices produced by by DrayTek, a company based in Taiwan.
The report says that at least two distinct groups of cybercriminals misused two grave remote command injection flaws (CVE-2020-8515) impacting DrayTek Vigor enterprise switches, load-balancers, routers and VPN gateway devices to listen in on network traffic and install backdoors.
The zero-day attacks, which initiated at the end of last November or at the start of December, are possibly still continuing against a number of overtly exposed DrayTek switches, Vigor 2960, 3900, 300B devices that have not been fixed yet with the latest firmware updates issued last month.
Any unauthorized remote attackers can exploit the zero-day flaws in question to inject and perform random commands on the system.
“The two 0-day flaw command injection points are keyPath and rtick, located in the /www/cgi-bin/mainfunction.cgi, and the corresponding Web Server program is /usr/sbin/lighttpd,” the report says.
No particular groups have thus far been attributed by NetLab researchers to both attacks, but is confirmed that while the first group only snooped on the network traffic, the second group of hackers used rtick command injection flaw to create the web-session backdoor that never perishes, SSH backdoor on TCP ports 22335 and 32459, and system backdoor account with user “wuwuhanhan” and password “caonimuqin.”
Do remember, if you have just lately installed the repaired firmware, or installing now, it won’t remove backdoor accounts automatically if you’re already affected.
“We recommend that DrayTek Vigor users check and update their firmware in a timely manner and check whether there is a tcpdump process, SSH backdoor account, Web Session backdoor, etc. on their systems.”
“If you have remote access enabled on your router, disable it if you don’t need it, and use an access control list if possible,” the company suggests.
The list of affected firmware versions are as follow:
- Vigor2960 < v1.5.1
- Vigor300B < v1.5.1
- Vigor3900 < v1.5.1
- VigorSwitch20P2121 <= v2.3.2
- VigorSwitch20G1280 <= v2.3.2
- VigorSwitch20P1280 <= v2.3.2
- VigorSwitch20G2280 <= v2.3.2
- VigorSwitch20P2280 <= v2.3.2
Companies and people impacted are supposed to install the latest firmware updates to entirely guard their valuable networks against malware and developing online threats.
