Hackers are using unknown user accounts to target Zyxel firewalls and VPNs
Network device maker Zyxel is warning customers of active and ongoing attacks that are targeting a range of the company’s firewalls and other types of security appliances.
In an email, the company said that targeted devices included security appliances that have remote management or SSL VPN enabled, namely in the USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware. The language in the email is terse, but it appears to say that the attacks target devices that are exposed to the Internet. When the attackers succeed in accessing the device, the email further appears to say, they are then able to connect to previously unknown accounts hardwired into the devices.
Batten down the hatches
“We’re aware of the situation and have been working our best to investigate and resolve it,” the email, which was posted to Twitter, said. “The threat actor attempts to access a device through WAN; if successful, they then bypass authentication and establish SSL VPN tunnels with unknown user accounts, such as ‘zyxel_silvpn,’ ‘zyxel_ts,’ or ‘zyxel_vpn_test,’ to manipulate the device’s configuration.”
It remains unclear if the weaknesses under attack are new or were previously known. Equally unclear is how many customers are under attack, what their geographical breakdown is, and if attacks are successfully compromising customer devices or simply attempting to do so.
In a statement issued later, Zyxel officials wrote:
Initially reported from users in Europe, Zyxel became aware of a sophisticated threat actor that attempts to access a subset of Zyxel security devices through the WAN in order to bypass authentication and establish SSL VPN tunnels with unknown user accounts. Zyxel is currently evaluating the attack vectors to determine whether this is a known or unknown vulnerability.
Zyxel has developed guidance to enable users to temporarily mitigate the security incident and contain the threat. A SOP was sent out to all registered users of USG/ZyWALL, USG FLEX, ATP, or VPN series devices. Zyxel is developing a firmware update to address user interface security practices as described in the SOP to reduce the attack surface.
The number of affected customers is unknown at this time because it appears that the devices being exploited have their web management publicly accessible and are not locked down.
Based on the vague details available so far, the vulnerability sounds reminiscent of CVE-2020-29583, which stemmed from an undocumented account with full administrative system rights that used the hardcoded password “PrOw!aN_fXp.” When Zyxel fixed the vulnerability in January, however, the account was listed as “zyfwp,” a name that doesn’t appear in the email Zyxel sent to customers this week.
In any event, the email said that the best way for customers to secure their Zyxel devices is to follow the guidelines published here. The guidelines contain generic advice such as configuring appliances using the lowest privileges possibile, patching devices, using two-factor authentication, and remaining wary of phishing attacks.
The email comes as firewalls, VPNs, and other devices used to secure networks have emerged as a key vector for hackers pushing ransomware- or espionage-motivated attacks. The appliances typically sit at the network perimeter to filter or block traffic moving into or out of the organization. Once breached, these devices often give attackers the ability to pivot to internal networks.
In the past few years, vulnerabilities in the Fortigate SSL VPN and the competing Pulse Secure SSL VPN have come under attack. Devices from Sonicwall have also been compromised through security vulnerabilities. The threats show how security appliances can actually make networks less secure when they’re not carefully locked down.