A mysterious hacker group is eavesdropping on corporate email and FTP traffic

DrayTek Vigor
Image: DrayTek, ZDNet

Since at least early December 2019, a mysterious hacker group has been taking over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks, Chinese security firm Qihoo 360 said today.

In a report published on the blog of its network security division Netlab, Qihoo said its researchers detected two different threat actors, each exploiting a different zero-day vulnerability in DrayTek Vigor — load-balancing routers and VPN gateways typically deployed on enterprise networks.

Attack Group A — stealing FTP and email traffic

Of the two hacker groups, the first — identified only as “Attack Group A” — appears to be, by far, the more sophisticated of the two.

According to Qihoo, the group popped up on their radar on December 4, last year, when they detected a pretty complex attack on DrayTek devices.

Coinbase 2

Qihoo says Attack Group A abused a vulnerability in the RSA-encrypted login mechanism of DrayTek devices to hide malicious code inside the router’s username login field.

When a DrayTek router received and then decrypted the boobytrapped RSA-encrypted login data, it ran the malicious code and granted the hackers control over the router.

But here’s where things got weird. Instead of abusing the device to launch DDoS attacks or re-route traffic as part of a proxy network, the hackers turned into a spy-box.

Researchers say the hackers deployed a script that recorded traffic coming over port 21 (FTP – file transfer), port 25 (SMTP – email), port 110 (POP3 – email), and port 143 (IMAP – email).

Then, on every Monday, Wednesday, and Friday at 0:00, the script would upload all the recorded traffic to a remote server.

Qihoo researchers didn’t speculate why hackers were collecting FTP and email traffic. But speaking to ZDNet over the phone, a security researcher pointed out that this looked like a classic reconnaissance operation.

“All four protocols are cleartext. It’s obvious they’re logging traffic to collect login credentials for FTP and email accounts,” the researcher told ZDNet. “Those creds are flying unencrypted over the network. They’re easy pickings.”

***The researcher didn’t want his name shared for this article as he was not authorized to speak to the press without his employer’s PR department approval.

Furthermore, ZDNet also understands from another industry source that the group’s hacking campaign has not gone unnoticed and has been kept under observation by other cyber-security firms. However, Attack Group A doesn’t share any server infrastructure or malware samples with any other known hacking group — so this, for now, appears to be a new group.

Attack Group B — creating backdoor accounts

But DrayTek devices have also been abused by a second group, which Qihoo codenamed “Attack Group B.”

This group used a different zero-day, but the hackers didn’t discover it themselves. Instead, the zero-day was first described in a January 26 post on the Skull Army blog, and the hackers began exploiting it two days later.

Per Qihoo, the hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the “rtick” process to create backdoor accounts on the hacked routers. What they did with those accounts remains unknown.

Patches released in February

Qihoo said its researchers notified DrayTek about both zero-days once they detected attacks; however, their first alert was sent through an incorrect channel and was never seen by DrayTek’s staff.

The vendor did eventually learned of the two zero-days after Group B’s attacks in January and released firmware patches on February 10. DrayTek even went out of its way to release a firmware patch for a now-discontinued router model.

According to Qihoo, attacks have been observed against DrayTek Vigor 2960, 3900, and 300B.

Using the BinaryEdge search engine, ZDNet was able to find more than 978,000 DrayTek Vigor devices on the internet, although, Qihoo says that only around 100,000 of these are running a firmware version that’s vulnerable to attacks.



A mysterious hacker group is eavesdropping on corporate email and FTP traffic 1
About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts


E-Crypto News Executive Interviews


Bitcoin (BTC) $ 39,225.00
Ethereum (ETH) $ 2,360.72
Tether (USDT) $ 1.00
Binance Coin (BNB) $ 319.14
Cardano (ADA) $ 1.34
XRP (XRP) $ 0.662810
Dogecoin (DOGE) $ 0.223008
USD Coin (USDC) $ 1.00
Polkadot (DOT) $ 14.85
Binance USD (BUSD) $ 1.00
bitcoinBitcoin (BTC)
$ 39,225.00
ethereumEthereum (ETH)
$ 2,360.72
tetherTether (USDT)
$ 1.00
bitcoin-cashBitcoin Cash (BCH)
$ 505.48
litecoinLitecoin (LTC)
$ 137.90
bitcoinBitcoin (BTC)
ethereumEthereum (ETH)
tetherTether (USDT)
bitcoin-cashBitcoin Cash (BCH)
litecoinLitecoin (LTC)
bitcoinBitcoin (BTC)
ethereumEthereum (ETH)
tetherTether (USDT)
bitcoin-cashBitcoin Cash (BCH)
litecoinLitecoin (LTC)

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Cryptocurrency Exchanges
Cryptocurrency Exchanges and the Plague of Scams and Bans
June 29, 2021
What Role Do Cryptocurrencies Play In The Era Of Ransomware Attacks?
June 9, 2021
Crypto Scams On The Rise As Market Enters Bull Cycle
Crypto Scams On The Rise As Market Enters Bull Cycle
December 22, 2020
Harpreet Singh Sahni perpetrated the Plus Gold Union Coin (PGUC) scam
Sydney Concert Promoter Harpreet Sahni Involved In $50M Crypto PGUC Scam
November 2, 2020
Mining City insists that it is legit
Mining City Refutes Claims By Philippines SEC Of Being A Scam
September 23, 2020

Blockchain/Cryptocurrency Questions and Answers

Short-Sell Cryptocurrency
How to Short-Sell Cryptocurrency: A Brief Overview
July 17, 2021
What Is Klaytn (KLAY) And How Does It Work?
July 16, 2021
Our Crypto Roundup Interview Asks- Do Cryptocurrencies Have a Future?
July 15, 2021
What Is Solana (SOL) And How Does It Work?
June 26, 2021
What Is Plethori Platform And How Does It Work?
June 12, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin39,774 1.56 % 15.33 % 24.61 %
Ethereum2,376.8 0.51 % 9.90 % 24.72 %
Tether1.000 0.05 % 0.03 % 0.23 %
Binance Coin322.16 1.09 % 7.80 % 5.88 %
Cardano1.350 0.57 % 11.78 % 13.65 %
XRP0.6649 0.31 % 10.91 % 12.73 %
Dogecoin0.2244 0.52 % 13.77 % 21.76 %
USD Coin1.010 0.35 % 0.39 % 0.00 %
Polkadot14.97 1.63 % 10.78 % 17.20 %
Binance USD1.010 0.50 % 0.89 % 0.54 %

Bitcoin (BTC) $ 36,666.00
Ethereum (ETH) $ 2,158.16
Tether (USDT) $ 0.998365
Binance Coin (BNB) $ 299.18
Cardano (ADA) $ 1.22
XRP (XRP) $ 0.613373
USD Coin (USDC) $ 0.997299
Dogecoin (DOGE) $ 0.198524
Polkadot (DOT) $ 13.46
Binance USD (BUSD) $ 0.992712