Zyxel Warns Users of Attacks on Firewalls and VPN

Cyberattacks are on the increase, targeting all types of security devices. Given the recent attacks on global corporations, it’s high time that service providers and security experts improved security measures. There’s a need to identify potential loopholes in security networks and seal them to beat hackers at their game.

Zyxel security networks seem to be the latest target of cyberattacks. According to security researchers, hackers seem to focus their efforts on scanning vulnerable Zyxel products. These include VPN gateways, firewalls, and access point controllers. Researchers first disclosed a vulnerability in the company’s firmware in December.

They say that cybercriminals can exploit the vulnerability to install a hard-coded backdoor to give them administrative rights and privileges. According to the Dutch security firm, Eye Control, which discovered the flaw, the bug can affect 100,000 Zyxel products globally.

What Went Wrong

According to Zyxel, hackers designed unknown accounts to enable them to deliver automatic firmware updates. This would happen through FTP to connected access points. The plan was for wireless access points on the network to check for updates and call home to the local router.

The company says that the entire framework sounds harmless, assuming that anything downloaded via FTP has a digital signature of its own.  However, if the code was still in development, the account meant for updating access points got shipped in a framework designed for updates. This means that it was intended for development instead of release.

Besides, an account used for fetching firmware updates doesn’t require login rights or admin access. However, giving it those permissions may have been convenient during development and testing. In the end, hackers were able to ship into the field an active and easy-to-abuse admin-level account.

Response by Zyxel

After the experts disclosed the vulnerability, Zyxel issued a warning to its customers concerning the threat actor’s attempts to access devices through WAN. If they are successful, they will then bypass authentication and create SSL VPN tunnels with masked user accounts like “zyxel_vpn_test,” “zyxel_sllvpn,” or “zyxel_ts” to manipulate the configuration of affected devices. This suggests that hackers are relying on hard-coded accounts to gain access to devices remotely. The company said that the threat actor’s target is:

  • USG Flex
  • USG/ZyWALL
  • VPN series devices supported by ZLD firmware
  • ATP

Zyxel reports that it took action immediately after it identified the incident. Based on the investigation that followed, the company advises users to maintain a proper security policy for remote access. By doing so, they can effectively defend themselves against the threat. To this effect, Zyxel released a guide for setting up a remote access policy.

It also released some patches on some of its products, urging users to apply them as soon as possible. However, the brand notes that a patch for the access controller products in the NXC series will not be available until April. Additionally, the company is working on a hotfix to mitigate the threat using further countermeasures.

Signs That Your Firewall is Affected

According to Zyxel, the following are potential signs that your systems are affected by the attack:

  • Traffic issue
  • Routing issue
  • VPN issues
  • Login issues
  • Password issue
  • Unknown configuration parameters

If your device is affected, one or multiple configuration changes will present themselves. Examples to look out for include manage, zyxel_ts, sslvpn_index, and zyxel_sllvpn. The attackers may also create masked firewall rules or set up unknown SSL VPN.

If you find the above issues on your device, the best course of action is to delete all unknown admin and user accounts. You also must delete the firewall rule, policy route 1, and the SSL VPN setup group.

How to Protect Your Device from Further Attacks?

Zyxel recommends that you take the following steps to protect your device against further attacks:

1. Assess the Firewall Configuration 

  • Ensure you only allow source IP through ZyWALL Zone
  • Put protective measures around it using the GEO IP Country feature from your location
  • Ensure you set up a “deny” rule lower position on all other connections that are not trusted, from WAN to ZyWALL.

2. Suggested Port Changes

Be careful with this step to ensure you don’t block yourself out of SSL VPN.

  • Change the HTTPS port to another one
  • Change the SSL VPN port to one that doesn’t overlap with the HTTPS GUI port.

3. You must change all your passwords on the system, especially the admin password. Some best practices for password creation include

  • Use complex passwords that are not easy to guess. A strong password must have a mix of upper and lower-case letters, numbers, symbols, and special characters. It also must be a minimum of eight characters long.
  • Don’t use the same password for multiple accounts
  • Use a password manager to store your passwords. Avoid writing them down.
  • Avoid sharing your system passwords with others unless it’s necessary
  • Change your passwords periodically, and don’t recycle old ones
  • Don’t enable remote access unless your nature of work demands that you do so

4. Set up two-factor authentication: the importance of adding an extra layer of security to your login credentials can never be emphasized enough.

Other Warnings

The Multi-State Information Sharing and Analysis Centre shared an alert in early January. It stated that enterprises and government agencies are at risk if they use Zyxel’s security and networking products. No exploits have been noted so far.

However, a threat actor could be waiting for the opportune time to gain administrative access to a targeted network. Once inside, they will escalate privileges, allowing them to intercept traffic, change firewall settings, and create VPN accounts. This way, they will easily access the device network and all administrative functions. According to experts, the threat has a score of 7.8 out of 10 and is tracked as CVE-2020-29583. They rank it as a “high” severity flaw.

Final Thoughts

The attacks on Zyxel security devices come after a string of attacks on other VPN devices. Hackers have established a handy entry point to corporate networks through VPNs and firewalls using remote access points. This raises a concern about the level of security for the VPN and firewalls you use in your business.

Hackers are not only targeting large corporations, but small businesses in Canada as well. As such, review and evaluate the safety of your security networks, as a proactive measure towards protecting your systems. Working with a cybersecurity expert is the best way to ensure you do it right. At Pure IT, we specialize in helping businesses in Calgary and Southern Alberta reach their IT goals. Contact us today to book a consultation with our experts.

Business hours are Pure IT Rated 5 / 5 based on 23 reviews. | Read Our Reviews