Sophisticated Hackers Are Targeting These Zyxel Firewalls And VPNs

Zyxel, a manufacturer of enterprise routers and VPN devices, has issued an alert that attackers are targeting its devices and changing configurations to gain remote access to a network. 

In a new support note, the company said that a "sophisticated threat actor" was targeting Zyxel security appliances with remote management or SSL VPN enabled. 

The attacks affect organizations using Unified Security Gateway (USG), ZyWALL, the USG FLEX combined firewall and VPN gateway, Advanced Threat Protection (ATP) firewalls, and VPN series devices running its ZLD firmware.  

SEE: Network security policy (TechRepublic Premium)

"The threat actor attempts to access a device through WAN; if successful, they then bypass authentication and establish SSL VPN tunnels with unknown user accounts, such as"zyxel_sllvpn", "zyxel_ts", or "zyxel_vpn_test", to manipulate the device's configuration. We took action immediately after identifying the incident," Zyxel noted. 

This seems to suggest that the attackers are using hardcoded accounts to access the devices remotely. 

Earlier this year, researchers found a hardcoded admin backdoor account in one of Zyxel's firmware binaries, which left 100,000 internet-exposed firewalls and VPNs.

Zyxel notes that firewalls may be affected if users experience issues accessing the VPN, or routing, traffic and login issues. Other signs include unknown configuration parameters and password problems. 

Zyxel warns admins to delete all unknown admin and user accounts that have been created by the attackers. It also advises them to delete unknown firewall rules and routing policies. 

Via Ars Technica, a Zyxel customer posted its disclosure email on Twitter. 

"Based on our investigation so far, we believe maintaining a proper security policy for remote access is currently the most effective way to reduce the attack surface," Zyxel said. 

It recommends disabling HTTP and HTTPS services from the WAN side. For those who need to manage devices from the WAN side, it recommends restricting access to trusted source internet address and enabling GeoIP filtering. It also emphasizes that admins need to change passwords and set up two-factor authentication. 

SEE: Ransomware: Now gangs are using virtual machines to disguise their attacks

The attacks on Zyxel devices follows a string of similar attacks on a range of VPN devices, which make a handy entry point to a corporate network for remote attackers to gain persistent access. The US Cybersecurity and Infrastructure Security Agency warned in April that attackers were targeting vulnerabilities in Pulse Secure Connect VPNs.    

ZDNet has contacted Zyxel for comment and will update this story if it receives a response.