News highlights:
- Researchers disclose 0-day attacks on DrayTek’s devices
- Two command injection vulnerabilities are letting attackers eavesdrop and install backdoors on the victim’s device
- The vulnerability resided in keyPath and rtrick fields in the software’s code
- The vendor has now fixed the bugs and users are advised to update their software ASAP
Qihoo 360’s NetLab has revealed details about cyberattacks that are happening in the wild with their virtual guns pointed at Draytek network devices.
DrayTek is a Taiwan-based manufacturer that provides broadband CPE, firewalls, VPN devices, routers and even wireless LAN devices.
The revealed cyberattack campaigns are aimed at DrayTek’s enterprise-grade networking devices like:
- the DrayTek Vigor enterprise switches,
- load balancers,
- routers, and
- VPN gateway devices.
The attacks reportedly began at the end of November or early December last year and are spying on thousands of unpatched DrayTek switches and Vigor devices.
A CVE-2020-8515 had been assigned to the vulnerabilities after the cybersecurity researchers published the indicators of compromise online.
What is The keyPath vulnerability?
This 0-day command injection vulnerability is based on the account password transmission methods used by the vulnerable devices.
There is a keyPath field that is used to add a suffix for the private password to help decrypt it later.
But due to insufficient input control in the keyPath field, attackers could exploit this bug to execute malicious commands remotely.
If you notice, now the patched version has set the keyPath length has maximum 30 and hexadecimal characters.
Image source: blog.netlab.360.com
What is the rtick vulnerability?
This vulnerability is also a command injection vulnerability which arises due to the insufficient checks made by the formCaptcha() function.
The formCaptcha() function does not verify the timestamp from rtick, instead, it directly generates the CAPTCHA image from /usr/sbin/captcha.
If you notice, DrayTek has fixed the bug by limiting the rtick field to only use [0-9].
Image source: blog.netlab.360.com
How do the attacks happen?
The command injection cyberattacks that have been exploiting both these vulnerabilities make use of scripts that are executed to help the attacker listen on the device ports and create backdoors that never expire.
The rtick vulnerability attack creates SSH backdoors and a system backdoor account called wuwuhanhan:caonimuqin.
Cybersecurity researchers also noticed that the attackers also disable the Draytek Vigor network device’s auto-logout feature.
Who all are affected and who all are attacked?
The vulnerable devices are:
- Vigor2960 (older than version 1.5.1)
- Vigor300B (older than version 1.5.1)
- Vigor3900 (older than version 1.5.1)
- Vigor2960 (older than version 1.5.1)
- VigorSwitch20P2121 (older than and including version 2.3.2)
- VigorSwitch20G1280 (older than and including version 2.3.2)
- VigorSwitch20P1280 (older than and including version 2.3.2)
- VigorSwitch20G2280 (older than and including version 2.3.2)
- VigorSwitch20P2280 (older than and including version 2.3.2)
To know if you are attacked or not, check for indicators of compromise:
- 7c42b66ef314c466c1e3ff6b35f134a4
- 01946d5587c2774418b5a6c181199099
- d556aa48fa77040a03ab120b4157c007g
The rest of the IoCs are mentioned on Netlab360’s blog.
DrayTek Vigor users are encouraged to update their software as soon as possible.
What do you think about this news? Let us know your thoughts and opinions in the comments section below.
Do you know of anyone who uses DrayTek devices?
If yes, share this news with them. And keep an eye out on this space for more updates.
Stay tuned, stay safe.
