Addressing the Recent Security Threat Targeting Zyxel Products
Does your organization use any of the Zyxel security appliances or VPN devices? If the answer is YES, this post is for you. The network device manufacturer has recently reported widespread exploitation of its products by threat actors, causing a bit of tension among its customers. In particular, the most targeted organizations are those using Zyxel Unified Security Gateway (USG) & ZyWALL, USG FLEX, ATP, and VPN series.
We’ve prepared this eye-opener post to answer the following critical security questions regarding Zyxel devices:
- How do threat actors attempt to access Zyxel devices?
- How can you tell if your firewall has been compromised?
- What actions should you take when you notice a security breach on Zyxel your device?
So let’s get this show on the road, shall we?
How are Threat Actors Attempting to Illegitimately Access Zyxel Firewalls and VPNs?
Zyxel firewalls and VPNs have been under active cyberattacks, with threat actors mainly targeting organizations using devices with remote management or SSL VPN enabled. The company notes that it discovered a critical vulnerability in its ZLD firmware, which the threat actors have been leveraging to compromise the targeted devices. And until the company fixes this vulnerability 100%, cybercriminals will continue trying to access the targeted devices in these two ways:
Using Hard-Coded Accounts
The recent trends suggest that attackers are using hard-coded accounts to access Zyxel devices remotely. As you may be aware, these devices usually contain hard-coded credentials such as cryptographic keys and passwords, which are necessary for the encryption of internal data, outbound communication with external components, and inbound authentication.
Unfortunately, these credentials can create a significant loophole, which cybercriminals can leverage to bypass the authentication configured by the administrator. Even worse, these loopholes can be challenging to detect, and if you manage to uncover them, fixing them becomes another headache. At this point, the admin is usually forced to disable the device altogether.
Here’s a clearer picture of how attackers usually use hard-coded accounts to access Zyxel devices illegitimately:
- They create a default administrator account and hard-code a simple password into the targeted device associated with that account.
- They ensure that the hard-coded password is the same for each of the device’s installations.
- That way, the administrator can’t change or modify the system unless they manually modify the program or patch the software.
- If anybody else discovers the password (or it gets published on the internet), they can access the targeted device trouble-free.
- And the worst part? Since all system installations will have a common password (even across different organizations), this paves the way for massive attacks to occur.
Leveraging the Wide Area Network, WAN
In a statement to its customers, Zyxel notes, “the threat actor attempts to access a device through WAN; if successful, they then bypass authentication and establish SSL VPN tunnels with unknown user accounts, such as “zyxel_sllvpn,” “zyxel_ts,” or “zyxel_vpn_test,” to manipulate the device’s configuration.”
The network device manufacturer further states that it took immediate action to identify the vulnerability, advising its customers to implement and maintain appropriate security policies for remote access to defend against the threat. And to reaffirm its commitment to recovering from the recently unearthed vulnerabilities, Zylex has released this mitigation SOP to guide clients through setting up the remote access policy.
What’s more, the company is currently working on a hotfix and mitigation firmware with more advanced countermeasures to seal all the loopholes used by threat actors to access the devices.
How Can You Tell If Your Firewall has been Compromised?
Earlier, we listed the most affected Zyxel products by cyberattacks. But how do you know if your organization-specific devices have been compromised? Here are some signs you need to watch out for:
- Issues regarding the VPN, password, login, routing, or traffic
- One or multiple configuration changes, such as:
- When unknown admin accounts are created
- When unknown policy routes are created
- When you notice new security policies or firewall rules
- When unknown SSL VPNs are set up
What Actions Should You Take When You Notice a Security Breach on Your Zyxel Device?
If you notice discrepancies as mentioned earlier on any of your devices, Zyxel recommends that you take the following actions immediately:
Contact the Zyxel Support Team
Reporting all your affected devices to the Support Team should be your first cause of action after detecting any security breach. The team will then direct you on how to repair the affected device. And the best part? They also offer remote sessions via Teamviewer to provide further assistance.
Repair the Device
Below are a few simple remediation actions you can take to repair your affected device and hopefully shield it against further attacks:
- Delete all unknown user and administrator accounts
- Delete the firewall rule showing “loseang” in the description
- Delete the policy route 1 if the conditions match
- Delete the SSL VPN setup for group/user
Protect the Device
After repairing your device by deleting all the unknown accounts, VPNs, firewall rules, and policy routes, it’s time to protect it from further cyber breaches. You can realize that feat by completing the following changes:
- Password changes. Be sure to change the administrator password, this time adhering to these password best practices. And for more advanced security, you can set up 2-factor authentication for your accounts by following this setup guide.
- Port changes. Here, you should make two modifications. First, you want to change the HTTPS port to another port. And second, you should change the SSL VPN port to another port, but be careful not to overlap it with the HTTPS GUI port. N/B: Be sure to modify the firewall before making these port changes, lest you block yourself.
- Firewall configurations review. To protect your firewall from external intrusion, you want to enable the GEO IP Country feature from your location and only allow Source IP permitted to ZyWALL Zone. Further, you should set up all other untrusted connections from WAN to ZyWALL into the “deny” rule.
Palindrome Consulting is Your Top-Rated Cybersecurity Partner in South Florida!
Hopefully, this post was an eye-opener, and you gained valuable insights into how to protect your Zyxel devices from rampant security breaches. With a permanent solution still at a distance, the company urges its clients to remain vigilant and implement proper security policies for remote access to defend against the unforgiving cyber threat actors.
At Palindrome Consulting, we can save you from the troubles and hassles of implementing the time-consuming and technical Zyxel security protocols, so you can focus on more value-adding business activities. Our self-motivated and highly qualified team of cybersecurity experts can monitor your network security system to detect any suspicious cyber activities on your Zyxel devices and act proactively to outsmart the attackers.
We also offer a range of other on-demand cybersecurity services like security assessment, penetration testing, security plan development, incident response, security awareness training, and more. So what are you waiting for? Contact us today for an all-inclusive cybersecurity solution.