Zyxel Firewalls have become a common target in recent hacks, with attackers exploiting a critical flaw to propagate the malicious Helldown ransomware. The German CERT (CERT-Bund) has published a warning alongside Zyxel, highlighting the scope of these assaults and the immediate steps that organisations must take to secure their network devices.
The attacks are linked to a vulnerability in the Zyxel ZLD firmware, CVE-2024-11667, which impacts the Zyxel ATP and USG FLEX firewall series. Five German businesses are believed to have been targeted by these assaults, highlighting the growing threats of leaving such vulnerabilities unpatched.
The root cause is CVE-2024-11667, a directory traversal vulnerability in the Zyxel ZLD firmware (versions 4.32 to 5.38). This vulnerability allows attackers to circumvent security protections and upload or download files using meticulously generated URLs.
Cybercriminals can exploit this flaw to acquire unauthorised system access, steal credentials, and establish backdoor VPN connections, sometimes without network administrators' knowledge. The devices that are most vulnerable are those running ZLD firmware versions 4.32 to 5.38, with remote management or SSL VPN enabled. Importantly, this vulnerability does not affect devices managed by the Nebula cloud management system.
Rise of Helldown Ransomware
Helldown ransomware, first discovered in August 2024, has quickly grown into a serious threat that exploits CVE-2024-11667 to target susceptible Zyxel firewalls. Helldown, which evolved from the infamous LockBit ransomware builder, employs sophisticated techniques to breach networks and move laterally, often with the goal of encrypting valuable data and disrupting operations.
Helldown's leak site currently lists 32 victims globally, including five organisations in Germany, according to CERT-Bund. The ransomware's ability to exploit this vulnerability is concerning because even patched systems may remain vulnerable if attackers get access using the same administrator credentials.
Modus operandi
The primary attack vector is the exploitation of the CVE-2024-11667 flaw to obtain initial access to the target systems. Once inside, hackers commonly employ sophisticated post-exploitation techniques, including the establishment of unauthorised user accounts like "SUPPORT87" and "SUPPOR817."
These accounts are used to create persistent backdoors that permit access to the network even after the initial breach, hence facilitating lateral movement within the network. These attacks have serious consequences: companies have reported data exfiltration, critical documents being encrypted, and disruptions in operations, frequently with the intention of extorting a ransom to unlock the files.
Researchers recommend that organisations that use Zyxel firewalls move swiftly to discover and resolve any threats by evaluating VPN logs, inspecting SecuReporter for suspicious behaviour, and monitoring firewall rules. The remediation process entails updating to ZLD 5.39, changing passwords, eliminating unauthorised accounts, and tightening security measures.