October 9th, 2024.
The Zyxel EMEA team has been tracking the recent activity of threat actors targeting Zyxel security appliances that were previously subject to vulnerabilities. Since then, admin passwords have not been changed. Users are advised to update ALL administrators and ALL User accounts for optimal protection.
Based on our investigation, the threat actors were able to steal valid credentials information from previous vulnerabilities and such credentials were not changed, allowing them to now create SSL VPN tunnels with temporary users, such as “SUPPOR87”, “SUPPOR817” or “VPN”, and modifying the security policies to provide them with access to the device and network.
Affected Products
ATP, USG FLEX Series in On-Premise Mode with remote management or SSL VPN enabled, at any point in the past, and which admins and users' credentials have NOT been updated.
Previous vulnerabilities were affected on previous firmware version: ZLD V4.32 to ZLD 5.38.
Those running the Nebula cloud management mode are NOT affected.
How to find out if your firewall is affected?
As of the time of writing, the symptoms of a compromised firewall exhibit the following:
- SSL VPN connection from user(s) “SUPPORT87”, “SUPPOR817”, “VPN” or existing VPN user you created, and credentials were compromised:
- Admin and SSL VPN user logins from non-recognized IP addresses. While most of the connections are coming from other parts of the world, we have seen hackers connecting from European countries, possibly using other VPN services.
- If SecuReporter is enabled for your device, the Activity and Logs shows the attackers connecting using the admins credentials and then creating the SSL VPN users and deleting them after VPN connection is used.
- Security policies created or modified, opening access from ANY to ANY or from SSL VPN to Zywall and LAN, as well as opening WAN to LAN for existing NAT rules.
- In some cases where AD is used and its administrator credentials were also stolen, the hacker uses the SSL VPN connection to access the AD server and encrypt files.
What can you do if you find the above-mentioned points on your device?
- Fix Action: Proceed to upgrade your device to LATEST Firmware 5.39 if it is still not upgraded.
- Fix Action: Change ALL passwords. Please do NOT use the same password used in the past.
- ALL Admin accounts passwords
- ALL User account passwords, including Local and Active Directory accounts.
- The Pre-share key of your VPN settings (Remote Access and Site to Site VPN)
- The Administrator password with external auth server (AD server and Radius)
- Fix Action: Remove all unknown admin and user accounts if any are still found.
- Fix Action: Force Logout users and admins that are not recognized.
- Fix Action: Remove firewall rules that are not meant to allow all access from WAN, SSL VPN Zones or Any.
Best Practice of the Firewall Configuration
Review the Firewall configuration.
- Protect this with the GEO IP Country feature from your location Setup Assistance
- Make sure to set up all other not-trusted connections from WAN to ZyWALL into a "deny" rule lower position than the allow rules.
Port Changes
Note: Be careful - so modify the Firewall first, and if you self-connect by SSL VPN, it will reconnect you; don't block yourself
- Change the HTTPS port to another port: Setup Assistance
- Change the port for SSL VPN to another port which does not overlap with HTTPS GUI Port: Setup Assistance
Setup 2-factor Login: Setup Assistance
Add a Private Encryption Key for your Configuration File