Zyxel Firewalls and VPN Servers: Victims of a New Cyberattack
Zyxel Is Currently Informing Its Clients on a New Cyberattack that Affected Zyxel Firewalls and VPN Servers. What Happened and How?
The cybersecurity world made way for a new cyberattack. Zyxel, a network devices manufacturer from Taiwan, alerted its clients by e-mail of the fact that its products were targeted by threat actors. Cybercriminals’ focus stays on the Zyxel firewalls and VPN products.
Have Only Zyxel Firewalls and VPN Been Compromised?
In a Twitter shared post containing the e-mail the company sent to its customers were mentioned the Zyxel products targeted by this new cyberattack, products with online free access. Cybercriminals focus on devices that can be remotely managed or that can be used with SSL VPN and run ZDL firmware. These belong to the USG/ZyWALL, USG FLEX, ATP, and VPN series. The gravity of the attack and the number of the affected users has not been determined yet.
How Hackers Act
The HackerNews publication mentioned in a post on their website the nature of the attack described by Zyxel. Thus, the threat actors operate following the below steps:
- The appliance access is made via WAN, thus they can skip the authentication steps;
- SSL VPN tunnels are created and connected with anonymous accounts of the users;
- Examples of tunnels: ‘zyxel_vpn_test’, ‘zyxel_slIvpn’ or ‘zyxel_ts’;
- The goal: device setup change.
Protection Measures Suggested
In the same Twitter post is mentioned what measures the company’s clients should meanwhile implement. Thus, the disablement of HTTPS/HTTP services from WAN is necessary, unless WAN is required for appliances’ management. If the latter is mandatory, the clients can follow 2 steps: only reliable IP addresses should be taken into consideration and this can be managed by setting specific rules and applying Policy Control when connecting alongside GeoIP filtering that enables access from reputable sources.
Expected or not?
Threat actors must exploit a past system vulnerability being after unpatched appliances or use the so-called Zero-Day Attack that targets unknown flaws. It is possible that the hardcoded admin-level backdoor, “zyfwp”, reported by ZDNet back in January and discovered by the Eye Control Dutch security team set a precedent. This could be found in Zyxel firewalls and VPNs too, giving hackers root access. Zyxel patched the vulnerability at that time. However, the methods used by cybercriminals, either working with old system flaws or starting all over again from scratch, have not yet been confirmed.
The Record also mentioned that other companies that use enterprise firewalls and VPNs were victims of such an attack in the past. Among these, the following can be mentioned: Sophos, Sonicwall, Pulse Secure, Palo Alto Network, Citrix, Cisco, and Fortinex.
About the Company
Zyxel has its quarters in Hsinchu, Taiwan and its activity involves manufacturing networking devices such as routers, switches, VPNs, firewalls, and many more. It started its activity back in 1992 when it developed the first 3-in-1 modem in the world (data, fax, voice).