Zyxel Firewalls Exploited in Recent Ransomware Attacks

November 25, 2024

Zyxel, a network hardware manufacturer, has alerted users about a ransomware gang that has been exploiting a recently patched command injection vulnerability in its firewalls. The vulnerability, referred to as CVE-2024-42057, allows remote, unauthenticated attackers to execute OS commands on vulnerable devices. However, the attack is only possible under certain conditions: the device must be configured to use User-Based-PSK authentication and have a valid user with a username longer than 28 characters.

The company's advisory stated, “A command injection vulnerability in the IPSec VPN feature of some firewall versions could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device.” The advisory further noted that the attack could only be successful if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists.

To address these vulnerabilities, Zyxel released firmware version 5.39 for ATP, USG FLEX, and USG FLEX 50(W)/USG20(W)-VPN series. The company's EMEA team reported that threat actors are targeting vulnerable Zyxel security appliances and urged users to update admin and user account passwords for optimal protection.

An update published by the company stated, “The Zyxel EMEA team has been tracking the recent activity of threat actors targeting Zyxel security appliances that were previously subject to vulnerabilities. Since then, admin passwords have not been changed. Users are advised to update ALL administrators and ALL User accounts for optimal protection.” The company's investigation revealed that the threat actors managed to steal valid credentials information from previous vulnerabilities and these credentials were not changed, allowing them to create SSL VPN tunnels with temporary users and modifying the security policies to gain access to the device and network.

Cybersecurity firm Sekoia recently detailed a series of attacks carried out by the Helldown ransomware gang. The experts speculate that the ransomware group targeted Zyxel firewalls to gain initial access to the target organizations. The report published by Zyxel stated, “All of this evidence strongly suggests that Zyxel firewalls have been targeted by Helldown. Details about post-compromise activities indicate that, in at least one intrusion, the attacker’s tactics align with typical ransomware methods.”

The company recommends users to upgrade to the patched firmware immediately and also suggests temporarily disabling remote access to vulnerable firewalls for enhanced protection against such attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.