Going back as far as November 2019, hacking groups have been taking over DrayTek network devices to eavesdrop on FTP and email traffic. Researchers with Qihoo 360’s NetLab unveiled details of two zero-day cyberattack in the wild targeting enterprise-grade networking devices manufactured by Taiwan-based DrayTek. The hackers have been exploiting two critical remote command injection vulnerabilities (CVE-2020-8515). These vulnerabilities affect DrayTek Vigor enterprise switches, load-balancers, routers and VPN gateways.
Preventive Actions:
- check and update device firmware
- check your device for a tcpdump process, SSH backdoor account, Web Session backdoor, etc.
- Disable remote access
List of affected firmware versions:
- Vigor2960 < v1.5.1
- Vigor300B < v1.5.1
- Vigor3900 < v1.5.1
- Vigor3900 < v1.5.1
- VigorSwitch20P2121 <= v2.3.2
- VigorSwitch20G1280 <= v2.3.2
- VigorSwitch20P1280 <= v2.3.2
- VigorSwitch20G2280 <= v2.3.2