Sophisticated hackers target these Zyxel firewalls and VPNs



Zyxel, a manufacturer of corporate routers and VPN devices, issued an alert saying that attackers are targeting its devices and changing configurations to remotely access a network.

In a new support note, the company said a “sophisticated threat actor” was targeting Zyxel security appliances with remote management or SSL VPN enabled.

see also

The best VPN services

Virtual private networks are essential for staying safe online, especially for remote workers and businesses. Here are your top picks for VPN service providers, and how to get set up quickly.

Read more

The attacks affect organizations using Unified Security Gateway (USG), ZyWALL, USG FLEX Combined Firewall and VPN Gateway, Advanced Threat Protection (ATP) firewalls, and VPN series devices running its ZLD firmware.

SEE: Network security policy (TechRepublic Premium)

“The malicious actor tries to access a device through the WAN; if successful, it then bypasses the authentication and establishes SSL VPN tunnels with unknown user accounts, such as “zyxel_sllvpn”, “zyxel_ts” or “zyxel_vpn_test”, to manipulate the device configuration. We took action immediately after identifying the incident, ”Zyxel noted.

This seems to suggest that attackers are using hardcoded accounts to access devices remotely.

Earlier this year, researchers found a hard-coded administrator backdoor account in one of Zyxel’s firmware binaries, which left 100,000 firewalls and VPNs exposed to the internet.

Zyxel notes that firewalls can be affected if users experience VPN access issues, or routing, traffic, and connection issues. Other signs include unknown configuration settings and password issues.

Zyxel warns administrators to remove all unknown administrator and user accounts created by attackers. It also advises them to remove firewall rules and unknown routing policies.

Via Ars Technica, a Zyxel customer filed his Twitter disclosure email.

“Based on our investigation to date, we believe that maintaining an appropriate security policy for remote access is currently the most effective way to reduce the attack surface,” Zyxel said.

It recommends disabling HTTP and HTTPS services on the WAN side. For those who need to manage devices on the WAN side, it recommends restricting access to the trusted source internet address and enabling GeoIP filtering. It also points out that administrators need to change passwords and configure two-factor authentication.

SEE: Ransomware: Now gangs are using virtual machines to disguise their attacks

The attacks on Zyxel devices follow a series of similar attacks on a range of VPN devices, which provide a convenient entry point to a corporate network for remote attackers to gain persistent access. The U.S. Agency for Cybersecurity and Infrastructure Security warned in April that attackers were targeting vulnerabilities in Pulse Secure Connect VPNs.

ZDNet has contacted Zyxel for comment and will update this story if it receives a response.


Leave A Reply

Your email address will not be published.