Network device maker Zyxel alerts customers to active and ongoing attacks that target a range of firewalls and other types of corporate security devices.
In an email, the company said the targeted devices included security devices with remote management or SSL VPN enabled, including in the USG / ZyWALL, USG FLEX, ATP and VPN series running the ZLD firmware on site. The language of the email is terse, but it seems the attacks are targeting devices exposed to the internet. When the attackers successfully gain access to the device, the email further appears to state that they are then able to log into previously unknown accounts wired into the devices.
Close the hatches
“We are aware of the situation and have done our best to investigate and resolve it,” read the email, which was posted on twitter, mentionned. “The malicious actor tries to access a device through the WAN; if successful, they then bypass the authentication and establish SSL VPN tunnels with unknown user accounts, such as “zyxel_silvpn”, “zyxel_ts” or “zyxel_vpn_test” to manipulate the device configuration.
It remains unclear whether the weaknesses attacked are new or were already known. It’s equally difficult to know how many customers are being attacked, what their geographic distribution is, and whether the attacks are successful in compromising customer devices or are simply attempting to do so.
In a statement released later, Zyxel officials wrote:
Originally reported by users in Europe, Zyxel became aware of a sophisticated threat actor attempting to access a subset of Zyxel security devices through the WAN in order to bypass authentication and establish VPN tunnels. SSL with unknown user accounts. Zyxel is currently evaluating attack vectors to determine if it is a known or unknown vulnerability.
Zyxel has developed guidance to enable users to temporarily mitigate the security incident and contain the threat. An SOP has been sent to all registered users of USG / ZyWALL, USG FLEX, ATP or VPN series devices. Zyxel is developing a firmware update to meet the UI security practices outlined in the SOP in order to reduce the attack surface.
The number of affected customers is unknown at this time as it appears that the exploited devices have their web management accessible to the public and are not locked down.
Based on the vague details available so far, the vulnerability looks like CVE-2020-29583, which was from an undocumented account with full administration system rights that used the hard-coded password “PrOw! aN_fXp.” When Zyxel vulnerability correction in January, however, the account was listed as “zyfwp,” a name that does not appear in the email that Zyxel sent to customers this week.
Either way, the email states that the best way for customers to secure their Zyxel devices is to follow the published guidelines. here. The guidelines contain generic advice such as configuring appliances using the lowest possible privileges, patching devices, using two-factor authentication, and being wary of phishing attacks.
The email comes as firewalls, VPNs and other devices used to secure networks have become a key vector for hackers pushing ransomware or espionage-motivated attacks. Appliances are typically located at the perimeter of the network to filter or block traffic entering or leaving the organization. Once hacked, these devices often give attackers the ability to pivot to internal networks.
In recent years, vulnerabilities in Fortigate SSL VPN and competitor Pulse Secure SSL VPN to have come under attack. Devices Sonicwall have also been compromised by security vulnerabilities. Threats show how security devices can make networks less secure when not carefully locked down.