Backdoor Accounts Discovered In Over 100,000 Zyxel Firewalls

Posted on January 2, 2021 at 10:36 AM

Backdoor Accounts Discovered In Over 100,000 Zyxel Firewalls

Dutch security researchers have found out that more than 100,000 Zyxel networking devices have vulnerabilities that could lead to a hacking attack.

The devices are manufactured by the Taiwan-based company Zyxel and can allow hackers to steal data from vulnerable devices.

The Dutch security researchers who discovered the flaw says the backdoor account is very critical in terms of vulnerability.

Hackers could gain control of the vulnerable devices through either the web administration panel or through the SSH interface.

Owners of the affected devices have been advised to update their devices as soon as possible to prevent any successful hacking attempt.

Security experts have also warned that different threat actors could abuse the vulnerable devices, including ransomware gangs, state-sponsored hacking groups, and DDoS botnet operators.

The hacking gangs could access the vulnerable devices and port them to internal networks to launch additional attacks.

Many of Zyxel’s top products affected

The researchers revealed that many of Zyxel’s top-line products are affected, including many enterprise-grade devices deployed across government networks and private enterprises.

The Zyxel product line affected includes the NXC series, the VPN series (used as VPN gateway), the USG FLEX series (a VPN and hybrid firewall gateway), the USG series (Unified Security Gateway), and the ATP (Advanced Threat Protection) series.

Most of the devices are utilized at the edge of a company’s network. When they are compromised, they enable hackers to launch additional attacks against internal hosts.

However, Zyxel has provided patches to the vulnerability, but not for all devices. Patches are available for VPN series, USG Flex, USG, and ATP series. The company said the patches for NXC series will be available by April 2021.

It was easy to discover the vulnerability

According to the Eye Control researchers who discovered the vulnerability, the backdoor account is automatically deleted after patches are installed.

The process uses a plaintext password which was visible in one of the system binaries, according to Dutch researchers.

They also revealed that the account had root access to the device since it was utilized when installing firmware updates via FTP to other interconnected Zyxel devices.

Zyxel exposes again after the 2016 backdoor incident

IoT security researcher Ankit Anubhav, during an interview with ZDNet last week, stated that it seems Zyxel did not learn from a similar backdoor incident that occurred in 2016.

As of then, the backdoor was tracked as CVE-2016-10401, and the secret backdoor mechanism enabled anyone to raise the standard of any account on the Zyxel platform to root level with a super-user password.

2020 backdoor is easier to exploit

When the backdoor was revealed, it was abused by several botnets. According to the researcher, the previous incident should have thought Zyxel a lesson since the present issue was similar to the previous ones.

“CVE-2016-10401 is still in the arsenal of most password attack based IoT botnets,” the researcher reiterated. However, the situation this time is even worse than the previous exposure.

Anubhav said 2020 backers is more serious than the 2016 backdoor. According to him, the 2016 backdoor system needed the threat actor to have an access to a low-level account on the device. But the 2020 mechanism is even worse since it can grant access to the threat actor without any prior condition.

Additionally, the 2016 vulnerability was utilized in Telnet only, while the present one needs lesser expertise.

The researcher also revealed that many of the affected devices are very varied, unlike the previous backdoor exploit, which affected only home routers.

Threat actors now have a wider option to launch their attacks since the affected devices include those used at home, in offices, and government establishments.

A whole new exposure level

The wide range of victims also includes corporate targets since the vulnerable devices are mainly marketed to firms to control internal networks and intranet access from remote locations.

In 2019 and 2020, there has been more vulnerability in VPN gateways and firewalls, which has been one of the major sources of cyber-espionage operations and ransomware attacks.

The vulnerabilities in Cisco, Mobileron, Fortinet, and Pulse Secure devices are usually being exploited to attack governments and companies’ networks.

And the researcher also revealed that the Zyxel backdoor could have exposed a whole new set of government agencies and companies to similar attacks seen over the years.

Summary
Backdoor Accounts Discovered In Over 100,000 Zyxel Firewalls
Article Name
Backdoor Accounts Discovered In Over 100,000 Zyxel Firewalls
Description
Dutch security researchers have found out that more than 100,000 Zyxel networking devices have vulnerabilities that could lead to a hacking attack.
Author
Publisher Name
Koddos
Publisher Logo

Share this:

Related Stories:

Newsletter

Get the latest stories straight
into your inbox!

YOUTUBE

Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading