Thursday, April 15, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

A mysterious hacker group is eavesdropping on corporate email and FTP traffic

March 28, 2020
in Internet Security
A mysterious hacker group is eavesdropping on corporate email and FTP traffic
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Image: DrayTek, ZDNet

Since at least early December 2019, a mysterious hacker group has been taking over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks, Chinese security firm Qihoo 360 said today.

In a report published on the blog of its network security division Netlab, Qihoo said its researchers detected two different threat actors, each exploiting a different zero-day vulnerability in DrayTek Vigor — load-balancing routers and VPN gateways typically deployed on enterprise networks.

You might also like

100+ critical IT policies every company needs, ready for download

ExpressVPN review: A fine VPN service, but is it worth the price?

Microsoft Defender for Endpoint now protects unmanaged BYO devices

Attack Group A — stealing FTP and email traffic

Of the two hacker groups, the first — identified only as “Attack Group A” — appears to be, by far, the more sophisticated of the two.

According to Qihoo, the group popped up on their radar on December 4, last year, when they detected a pretty complex attack on DrayTek devices.

Qihoo says Attack Group A abused a vulnerability in the RSA-encrypted login mechanism of DrayTek devices to hide malicious code inside the router’s username login field.

When a DrayTek router received and then decrypted the boobytrapped RSA-encrypted login data, it ran the malicious code and granted the hackers control over the router.

But here’s where things got weird. Instead of abusing the device to launch DDoS attacks or re-route traffic as part of a proxy network, the hackers turned into a spy-box.

Researchers say the hackers deployed a script that recorded traffic coming over port 21 (FTP – file transfer), port 25 (SMTP – email), port 110 (POP3 – email), and port 143 (IMAP – email).

Then, on every Monday, Wednesday, and Friday at 0:00, the script would upload all the recorded traffic to a remote server.

Qihoo researchers didn’t speculate why hackers were collecting FTP and email traffic. But speaking to ZDNet over the phone, a security researcher pointed out that this looked like a classic reconnaissance operation.

“All four protocols are cleartext. It’s obvious they’re logging traffic to collect login credentials for FTP and email accounts,” the researcher told ZDNet. “Those creds are flying unencrypted over the network. They’re easy pickings.”

***The researcher didn’t want his name shared for this article as he was not authorized to speak to the press without his employer’s PR department approval.

Furthermore, ZDNet also understands from another industry source that the group’s hacking campaign has not gone unnoticed and has been kept under observation by other cyber-security firms. However, Attack Group A doesn’t share any server infrastructure or malware samples with any other known hacking group — so this, for now, appears to be a new group.

Attack Group B — creating backdoor accounts

But DrayTek devices have also been abused by a second group, which Qihoo codenamed “Attack Group B.”

This group used a different zero-day, but the hackers didn’t discover it themselves. Instead, the zero-day was first described in a January 26 post on the Skull Army blog, and the hackers began exploiting it two days later.

Per Qihoo, the hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the “rtick” process to create backdoor accounts on the hacked routers. What they did with those accounts remains unknown.

Patches released in February

Qihoo said its researchers notified DrayTek about both zero-days once they detected attacks; however, their first alert was sent through an incorrect channel and was never seen by DrayTek’s staff.

The vendor did eventually learned of the two zero-days after Group B’s attacks in January and released firmware patches on February 10. DrayTek even went out of its way to release a firmware patch for a now-discontinued router model.

According to Qihoo, attacks have been observed against DrayTek Vigor 2960, 3900, and 300B.

Using the BinaryEdge search engine, ZDNet was able to find more than 978,000 DrayTek Vigor devices on the internet, although, Qihoo says that only around 100,000 of these are running a firmware version that’s vulnerable to attacks.

draytek-vigor-be.png


Credit: Zdnet

Previous Post

Machine Learning at the Edge

Next Post

Deep Neural Network - A Deep Learning Model For Bank Crisis Prediction

Related Posts

100+ critical IT policies every company needs, ready for download
Internet Security

100+ critical IT policies every company needs, ready for download

April 15, 2021
ExpressVPN review: A fine VPN service, but is it worth the price?
Internet Security

ExpressVPN review: A fine VPN service, but is it worth the price?

April 15, 2021
Microsoft Defender for Endpoint now protects unmanaged BYO devices
Internet Security

Microsoft Defender for Endpoint now protects unmanaged BYO devices

April 15, 2021
Cyber criminals are installing cryptojacking malware on unpatched Microsoft Exchange servers
Internet Security

Cyber criminals are installing cryptojacking malware on unpatched Microsoft Exchange servers

April 14, 2021
ASIO boss says he’s not concerned with Australian Parliament’s March outage
Internet Security

ASIO boss says he’s not concerned with Australian Parliament’s March outage

April 14, 2021
Next Post
Deep Neural Network – A Deep Learning Model For Bank Crisis Prediction

Deep Neural Network - A Deep Learning Model For Bank Crisis Prediction

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

100+ critical IT policies every company needs, ready for download
Internet Security

100+ critical IT policies every company needs, ready for download

April 15, 2021
NSA Discovers New Vulnerabilities Affecting Microsoft Exchange Servers
Internet Privacy

NSA Discovers New Vulnerabilities Affecting Microsoft Exchange Servers

April 15, 2021
AI.Reverie names Aayush Prakash as Head of Machine Learning
Machine Learning

AI.Reverie names Aayush Prakash as Head of Machine Learning

April 15, 2021
Why Corporate AI Projects Fail? Part 2/4 | by Sundeep Teki, PhD | Apr, 2021
Neural Networks

Why Corporate AI Projects Fail? Part 2/4 | by Sundeep Teki, PhD | Apr, 2021

April 15, 2021
How to Analyze Influencer Campaign Performance
Marketing Technology

How to Analyze Influencer Campaign Performance

April 15, 2021
Six courses to build your technology skills in 2021 – IBM Developer
Technology Companies

How AI helps Overwatch League process 410M data points to build power rankings – IBM Developer

April 15, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • 100+ critical IT policies every company needs, ready for download April 15, 2021
  • NSA Discovers New Vulnerabilities Affecting Microsoft Exchange Servers April 15, 2021
  • AI.Reverie names Aayush Prakash as Head of Machine Learning April 15, 2021
  • Why Corporate AI Projects Fail? Part 2/4 | by Sundeep Teki, PhD | Apr, 2021 April 15, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates