Posted on June 25, 2021 at 6:03 PM
A recent report has revealed that the Zyxel routers and VPN devices are being targeted by sophisticated hackers. The VPN devices manufacturer issued an alert about the attack, warning that the threat actors are altering configurations to gain access to the targeted devices.
Hackers are intensifying their efforts towards targeting VPN device manufacturers and companies. The latest revelation by Zyxel is one of many such attacks in the past few months.
The present attack, according to the report, impacts organizations that use VPN series devices running ZLD firmware, Advanced Threat Protection (ATP) firewalls, USG FLEX combined firewall, ZyWALL, as well as Unified Security Gateway.
The attack targets devices exposed to the internet
In an email, the company informed users that the hackers also target security appliances that are SSL VPN enabled or have remote management.
While the language in the email is short, it seems to indicate that the attack targets devices particularly connected to the internet.
After the threat actors have gained access to the targeted device, they can link to previously unknown accounts in the devices.
The email also stated that the company is working seriously to resolve the situation. It further asked users to enable two-factor authentication to make it very difficult for the threat actors to succeed in accessing their devices.
“We’re aware of the situation and have been working our best to investigate and resolve it,” the email noted.
It’s not known whether the vulnerabilities exploited by the attackers were previously known or new. Also, it’s not clear how many users have been targeted so far, or which geographical location is receiving the most attack. It’s also not clear whether the threat actors are still attempting to compromise customer devices or are succeeding in such attempts.
The company will release a patch soon
Zyxel has also developed guidelines that can help users avoid a victim of the attack. The company sent out an SOP to all registered users of ATP, USG FLEX, USG/ZyWALL, or VPN series devices. Also, Zyxel says it will release a firmware update that will take care of the user interface security issue.
According to Zyxel, the update will help to reduce the attack interface.
Zyxel is still investigating the incidences and says more details will be divulged when something new is discovered.
But so far, the vulnerability has some of the features of the CVE-2020-29583 bug, which comes from undocumented accounts with complete administrative rights. The vulnerability was fixed in January and the account was listed as “Zyfwp,” which did not appear in the email sent to customers this week.
Customers are advised to follow the mitigation guidelines the company has provided to make sure their Zyxel devices are safe from hackers’ exploitations.
They are also asked to be wary of increasingly rampant phishing attacks. Other measures users should take include configuring their appliances with the least possible privileges allowed, and patching their devices as soon as updates are out.
The increasing threats of attackers on devices
The growing levels of cybersecurity threats have made VPNs, firewalls, and other network security devices targets by threat actors. They can exploit these vulnerabilities and gain access to users’ devices. After gaining access to the networks the attackers can have a deeper access to other areas of the devices, including all networks the devices are connected to.
Zyxel stated that the threat actors are attempting to access devices via WAN. When they gain access, they can circumvent authentication and set up SSL VPN tunnels using unknown user accounts such as “zyxel_vpn_test”, “zyxel_ts”, or “zyxel_sllvpn”.
It shows that the threat actors are utilizing hardcoded accounts to gain remote access to the devices.
Earlier this year, security researchers discovered similar accounts in Zyxel’s firmware binary. The vulnerability leftover 100,000 firewalls and VPNs exposed to attacks.
The company reiterated that users who have challenges gaining access to VPN or traffic issues could be dealing with affected firewalls. Other indications also include password problems and unknown configuration parameters.
Zyxel has advised admins to delete all unknown user accounts and admins created by the threat actors The company also says they must also delete any unknown routing policy and firewall rules from the system.