Chinese security firm Qihoo 360 has announced that a mysterious hacker group has been tracking FTP and email traffic within the company networks, at least since the beginning of December 2019. In the published report, the company said its researchers identified two different threat actors that exploited a vulnerability in VPN gateways in DrayTek Vigor.
According to the company, there are two different groups. The first of the two hacker groups seems to be more complicated. According to Qihoo, it was determined by radars that the group had a rather complicated attack on DrayTek devices last year on December 4. Qihoo said that the same group abused a vulnerability in the RSA encrypted login mechanism of DrayTek devices to hide the router’s username and malicious code in the login area.
Researchers found hackers port 21 (FTP – file transfer), port 25 (SMTP – email), port 110 (POP3 – email), and port 143 (IMAP – email). He added that he used a script that recorded the traffic coming over him. Qihoo researchers said that hackers did not guess why they were collecting FTP and email traffic, but in the interviews, the situation was exposed after a security researcher pointed out that it looked like a classic discovery operation.
In addition, it was reported from another source that the group’s attack campaign was not noticed and was observed by other cyber security firms. However, it was said that the group did not share any server infrastructure or malware sample with another known hacking group; therefore it is shared that it looks like a new group for now.
There is another group of hackers
DrayTek devices were also abused by a second group called Qihoo ‘Attack Group B’. This group appeared on different days, but hackers did not discover it themselves. According to Qihoo, hackers carried out this second attack using a “rtick” error to create backdoor accounts on certain routers. What they did with these accounts is still unknown. The company continues its research and publishing new information.