IS specialists discovered a malicious Hiatus campaign, in which the malware attacks routers and has infected about 100 outdated DrayTek Vigor 2960 and 3900 routers (about 2% of routers of these models are connected to the Internet) in order to steal the data of their owners and create a hidden proxy network.
Let me remind you that we also wrote that Spyware Predator Uses Five 0-day Vulnerabilities to Attack Android Users, and also that Iranian RatMilad Spyware Attacks Android Users.
Experts warn that as part of the Hiatus campaign, which has spread to North and South America, as well as Europe, hackers can intercept victims’ email and steal files.
Attack map
Lumen Black Lotus Labs analysts say the hacking campaign, active since July 2022, is targeting DrayTek Vigor devices, which are business-class VPN routers used by small and medium businesses to connect remotely to corporate networks.
The attacks rely on three components: a malicious bash script, the Hiatus RAT malware, and a legitimate tcpdump used to capture network traffic passing through the router.
The key to this campaign is Hiatus, which is used to download additional payloads, execute commands on a compromised device, and turn compromised devices into SOCKS5 proxy servers to transmit commands and control server traffic.
Interestingly, so far experts have not been able to determine exactly how the attackers compromise DrayTek routers. It is only known that after the hack, they gain access to routers and run a bash script that loads Hiatus and the legitimate tcpdump utility.
Once installed, the malware collects the following information from a compromised device:
- system data (MAC address, kernel version, system architecture, firmware version);
- network data (router IP address, local IP address, MAC addresses of devices in the neighboring local network);
- file system data (mount points, directory paths, file system type);
- process data (process names, identifiers, UIDs, and arguments).
After installing the malware, hackers are able to perform the following actions: run commands, shells or new software on the device; reading, deleting or transferring files to a remote server; receiving and executing specific files and scripts; setting up a SOCKS v5 proxy on a jailbroken device; transferring any TCP data set to an open host port, and so on.
Experts emphasize that Hiatus “can” not only turn a compromised machine into a proxy server, but is also able to intercept packets to “monitor router traffic on ports associated with email and file transfers.” So, the malware monitors network traffic on TCP ports associated with mail servers and FTP.
Monitored ports: port 21 for FTP, port 25 for SMTP, port 110 for POP3, and port 143 associated with the IMAP protocol. Because communications over these ports are not encrypted, attackers can steal sensitive data, including email content, credentials, and the content of files being transferred.
Experts conclude that the Hiatus attacks only emphasize the need to protect the ecosystem of routers, and the devices themselves need to be regularly monitored, rebooted and updated, and outdated routers that have already lost support from the manufacturer should be replaced.
Let me remind you that information security specialists also said that the creation of the Chinese Comac C919 aircraft was accompanied by hacker attacks and cyber espionage.
