Search This Blog

Powered by Blogger.

Blog Archive

Labels

Zyxel Firewalls Targeted by Ransomware Gang Exploiting Vulnerability

The company has addressed these vulnerabilities with the release of firmware version 5.39.

 

Zyxel has issued a warning about a ransomware group exploiting a recently patched command injection vulnerability, identified as CVE-2024-42057, in its firewall devices. This flaw enables attackers to gain initial access to compromised systems.

The vulnerability allows remote, unauthenticated attackers to execute operating system commands on affected devices, posing a significant security risk.

Zyxel clarified in its advisory that the exploitation is possible only if the firewall is set up with User-Based-PSK authentication and a valid user has a username exceeding 28 characters.

“A command injection vulnerability in the IPSec VPN feature of some firewall versions could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device,” the advisory states. “Note that this attack could be successful only if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists.”

The company has addressed these vulnerabilities with the release of firmware version 5.39, applicable to the ATP, USG FLEX, and USG FLEX 50(W)/USG20(W)-VPN series firewalls.

Zyxel’s EMEA team has observed active exploitation of these vulnerabilities, urging users to immediately update administrator and user account passwords as a precautionary measure.

“The Zyxel EMEA team has been tracking the recent activity of threat actors targeting Zyxel security appliances that were previously subject to vulnerabilities. Since then, admin passwords have not been changed. Users are advised to update ALL administrators and ALL User accounts for optimal protection,” the company emphasized.

Their investigation revealed that attackers leveraged previously stolen credentials, which were not updated, to create unauthorized SSL VPN tunnels using accounts like "SUPPOR87" and "VPN," altering security policies to gain access to the network.

Sekoia, a cybersecurity firm, detailed how the Helldown ransomware group has exploited Zyxel firewalls to gain entry into targeted organizations, aligning with typical ransomware strategies.

“All of this evidence strongly suggests that Zyxel firewalls have been targeted by Helldown. Details about post-compromise activities indicate that, in at least one intrusion, the attacker’s tactics align with typical ransomware methods,” Zyxel noted.

Users are strongly advised to upgrade to the latest firmware and temporarily disable remote access to potentially vulnerable firewalls to mitigate risks effectively.
Share it:

CVE-2024-42057

cybersecurity updates

firmware upgrade

Ransomware attack

remote access security

Vulnerabilities and Exploits

Zyxel firewalls