- Joined
- Jun 28, 2020
- Messages
- 6,852
- Reaction score
- 739
- Points
- 212
- Awards
- 2
The attacks began in late November or early December last year and may still be ongoing.
Netlab researchers at Qihoo 360, a Chinese security company, reported two recently discovered malicious campaigns in which cybercriminals exploited zero-day vulnerabilities in Taiwanese-based DrayTek network devices.
According to experts, at least two separate cybercriminal groups used two critical remote command injection vulnerabilities ( CVE-2020-8515 ), affecting corporate switches, load balancers, routers and VPN gateways of DrayTek Vigor to intercept network traffic and install backdoors.
According to experts, the attacks began in late November or early December last year and may still continue against thousands of vulnerable Vigor 2960, 3900, 300B devices that have not yet received the latest firmware.
NetLab researchers did not associate the attacks with any particular grouping, but confirmed that the first group simply spied on network traffic, and the second used the command injection vulnerability in rtick to create backdoors and a system account with the username “wuwuhanhan” and the password “caonimuqin”.
According to experts, installing a fixed version of the firmware will not delete backdoor accounts automatically if the system has already been compromised.
Problems affect Vigor2960 versions below 1.5.1, Vigor300B below 1.5.1, Vigor3900 below 1.5.1, VigorSwitch20P2121 2.3.2 and below, VigorSwitch20G1280 2.3.2 and below, VigorSwitch20P1280 v2.3.2 and below, VigorSwitch20G2280 v2.3.2 and below VigorSwitch20G2280 v2.3.2 and below v2.3.2 and below. The manufacturer fixed the vulnerability in firmware version 1.5.1.
Netlab researchers at Qihoo 360, a Chinese security company, reported two recently discovered malicious campaigns in which cybercriminals exploited zero-day vulnerabilities in Taiwanese-based DrayTek network devices.
According to experts, at least two separate cybercriminal groups used two critical remote command injection vulnerabilities ( CVE-2020-8515 ), affecting corporate switches, load balancers, routers and VPN gateways of DrayTek Vigor to intercept network traffic and install backdoors.
According to experts, the attacks began in late November or early December last year and may still continue against thousands of vulnerable Vigor 2960, 3900, 300B devices that have not yet received the latest firmware.
NetLab researchers did not associate the attacks with any particular grouping, but confirmed that the first group simply spied on network traffic, and the second used the command injection vulnerability in rtick to create backdoors and a system account with the username “wuwuhanhan” and the password “caonimuqin”.
According to experts, installing a fixed version of the firmware will not delete backdoor accounts automatically if the system has already been compromised.
Problems affect Vigor2960 versions below 1.5.1, Vigor300B below 1.5.1, Vigor3900 below 1.5.1, VigorSwitch20P2121 2.3.2 and below, VigorSwitch20G1280 2.3.2 and below, VigorSwitch20P1280 v2.3.2 and below, VigorSwitch20G2280 v2.3.2 and below VigorSwitch20G2280 v2.3.2 and below v2.3.2 and below. The manufacturer fixed the vulnerability in firmware version 1.5.1.
