A Mysterious Hacker Group Has Been Spying on Corporate Email and FTP Traffic
We have discussed in an earlier blog how recent times have encouraged the Work from Home Culture. Almost all correspondence has shifted to email, with decreasing reliance on telephonic communication, even less so on person-to-person contact. Directives, action plans, and work summaries are low on the sensitivity scale. But being a business owner, you can imagine how confidential other aspects of your corporate email communication and remote file transfers are. Funding decisions, trade secrets, remote collaborations, executive decisions… all are avenues which can yield high gain for hackers should they somehow gain illegal access to the corporate email and FTP traffic.
Chinese Security Group Qihoo 360 has found traces of an attack that exploits exactly this. Communication equipment by DrayTek is being targeted to eavesdrop on corporate networks. This has been surreptitiously going on since December 2019. In a cyber security report, Qihoo says it found two threat actors, each one independently targeting a separate zero-day vulnerability in the DrayTek routers and VPN Gateways.
Not discovering the actual faces behind the attack, Qihoo has categorised the threat actors simply into Group A and Group B.
Attack Group A: Steals Corporate Email and FTP Traffic
This is a highly skilled group, their attacks on the DrayTek devices demonstrating their level of sophistication. As per Qihoo, Attack Group A exploited a vulnerability in the RSA-encrypted login method of DrayTek devices. They sneaked in their own malicious code inside the router’s username login field. When the network device started processing the login request, the malicious code took over and granted full access over the router.
Now, there are a lot of things a hacker can do with this type of complete access. They can perform Denial of Service attacks or mess up the packet routing rules and filters. Attack Group A, however, ingeniously turned the DrayTek device into their own personal spy-box. Through batch files and scripts, the hackers tuned the device to actively listen at network ports like FTP (Port-21), SMTP(Port-25), POP3 (Port-110), and IMAP (Port-143). At midnight on specific days, the script would simply upload its recorded data to a remote server.
“All four protocols are cleartext. It’s obvious they’re logging traffic to collect login credentials for FTP and email accounts,” the unnamed researcher from Qihoo says. “Those creds are flying unencrypted over the network. They’re easy pickings.”
It is obviously a full-blown spying operation, theft of credentials and data being the objective.
Attack Group B: Backdoor Accounts
The DrayTek devices also suffered intrusion from a different set of hackers, termed by Qihoo as Attack Group B. However, for this attack launch, the group had help from another , which described another zero-day vulnerability in DrayTek devices. Reading this, Attack Group B sprang into action, and set about exploiting a security hole created due to a missing patch.
According to Qihoo, Attack Group B used this second zero-day to exploit a bug in the “rtick” process to create backdoor accounts on the compromised routers. The true extent of the damage they did with these backdoor accounts has not yet been brought to light.
If it happens to someone, it can happen to anyone
December was a time where business operations were carried on as usual. Now, the scenario has changed. Now you can almost visualise the hackers perched up on a branch somewhere above you (perhaps wearing a mask), waiting for you to slip up and make a blunder. We can help you make sure you don’t make any.
It is advisable for users to deploy MAPI, Activesync and Https protocol to access their mail server, rather than sticking to POP/IMAP which are more vulnerable and prone to hacking. Our Office 365, Zimbra and Guite tools provide MAPI protocol, Activesync and Https.
Logix Cloud Email Security enables Organizations to combat Advanced attacks with its multi layered , multi-tiered security approach using multiple threat intelligence detection & prevention tools. When tensions are already soaring high, you don’t need another one on your head.
We are here to take on the onus of your security on ourselves. Make a smart decision today, secure yourself for the long-term. Switch to a mailing solution which follows the current, most secure protocols to keep your data safe.