Helldown Ransomware Targets Zyxel VPN Vulnerability to Infiltrate Networks

November 19, 2024

The 'Helldown' ransomware operation is believed to be exploiting vulnerabilities in Zyxel firewalls to infiltrate corporate networks, steal data, and encrypt devices. This is reported by the French cybersecurity firm Sekoia with a moderate level of confidence, based on recent observations of Helldown attacks. Although not a major player in the ransomware arena, Helldown has quickly expanded since its inception over the summer, listing numerous victims on its data extortion portal.

Helldown was first identified by Cyfirma on August 9, 2024, and then again by Cyberint on October 13, with both providing brief overviews of the new ransomware operation. The first report of a Linux variant of the Helldown ransomware targeting VMware files was made by 360NetLab security researcher Alex Turing on October 31. This Linux variant has code to list and kill VMs to encrypt images, but its functions are only partially invoked, suggesting that it may still be under development.

Sekoia reports that the Windows version of Helldown is based on the leaked LockBit 3 builder and has operational similarities to Darkrace and Donex. However, no definitive link could be established based on the evidence available. As of November 7, 2024, the threat group listed 31 victims on its recently updated extortion portal, primarily small and medium-sized firms based in the United States and Europe. As of today, the number has decreased to 28, potentially indicating that some have paid a ransom.

Sekoia notes that Helldown is not as selective in the data it steals as other groups employing more efficient tactics and publishes large data packs on its website, with one instance reaching up to 431GB. One of the victims listed is Zyxel Europe, a provider of networking and cybersecurity solutions. The group's encryption tools do not appear to be very advanced, with the threat actors using batch files to terminate tasks rather than integrating this functionality directly into the malware.

During the encryption process, the threat actors generate a random victim string, such as 'FGqogsxF,' which is used as the extension for encrypted files. The ransom note also incorporates this victim string in its filename, like 'Readme.FGqogsxF.txt'. From a lead at Zyxel Europe, Sekoia discovered that at least eight victims listed on the Helldown website were using Zyxel firewalls as IPSec VPN access points at the time of their breach.

Sekoia also noticed a report from Truesec dated November 7 that mentions the use of a malicious account named 'OKSDW82A' in Helldown attacks and a configuration file ('zzz1.conf') used in an attack targeting MIPS-based devices, possibly Zyxel firewalls. The threat actors used this account to establish a secure connection via SSL VPN into the victims' networks, access domain controllers, move laterally, and disable endpoint defenses.

By digging deeper, Sekoia found reports on Zyxel forums of the creation of the suspicious user account 'OKSDW82A' and the configuration file 'zzz1.conf', where admins of the device reported they were using firmware version 5.38. Based on the version, Sekoia's researchers theorize that Helldown might be exploiting CVE-2024-42057, a command injection in IPSec VPN that allows an unauthorized attacker to execute OS commands with a crafted long username in User-Based-PSK mode. This issue was resolved on September 3 with the release of firmware version 5.39, and details of the exploitation have not been publicly disclosed yet, so Helldown is suspected of having access to private n-day exploits.

Additionally, Sekoia discovered payloads uploaded to VirusTotal from Russia between October 17 and 22, but the payload was incomplete. 'It contains a base64-encoded string which, when decoded, reveals an ELF binary for the MIPS architecture,' explains Sekoia researcher Jeremy Scion. 'The payload, however, appears to be incomplete. Sekoia assess with medium confidence this file is likely connected to the previously mentioned Zyxel compromise.' Questions were sent to Zyxel regarding these attacks, but there has been no response as of yet.

Related News

• Zyxel Issues Warning About Critical Vulnerability in Business Routers

Latest News

• VMware vCenter Server Vulnerabilities Now Under Active Exploitation
• Palo Alto Networks Addresses Four Critical Security Flaws in Expedition Firewall
• NSO Group Continued Exploiting WhatsApp to Deliver Pegasus Spyware Post Meta Lawsuit
• GeoVision Devices Exploited by Botnet to Install Mirai Malware
• Microsoft Halts November 2024 Exchange Security Updates Due to Email Delivery Issues