Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Recent Zyxel Firewall Vulnerability Exploited in Ransomware Attacks

A ransomware group has been observed exploiting a recently patched command injection vulnerability in Zyxel firewalls for initial access.

Zyxel has issued a fresh warning on threat actors exploiting a recently patched command injection vulnerability in its firewalls after security firms have observed a ransomware group targeting the flaw for initial compromise.

The bug, tracked as CVE-2024-42057, could allow remote attackers to execute OS commands on vulnerable devices, without authentication.

Zyxel announced patches for this flaw and six other security defects on September 3, explaining that only devices configured in User-Based-PSK authentication mode on which a valid user with a long username exceeding 28 characters exists are affected.

Zyxel addressed these vulnerabilities with the release of firmware version 5.39 for ATP, USG FLEX, and USG FLEX 50(W)/USG20(W)-VPN series devices.

A month later, Zyxel EMEA warned that threat actors had been targeting firewalls running firmware iterations 4.32 to 5.38 to create rogue user accounts and gain access to networks via SSL VPN tunnels.

“The Zyxel EMEA team has been tracking the recent activity of threat actors targeting Zyxel security appliances that were previously subject to vulnerabilities. Since then, admin passwords have not been changed. Users are advised to update all administrators and all user accounts for optimal protection,” Zyxel EMEA said.

Last week, cybersecurity firm Sekoia warned about attacks launched by the Helldown ransomware group, which claimed 31 victims between August and October, including Zyxel’s European subsidiary.

At least eight Helldown victims, Sekoia said, were using Zyxel firewalls as IPSec VPN access points when they were hacked. The attackers likely targeted CVE-2024-42057 to compromise the Zyxel appliances running firmware version 5.38.

Advertisement. Scroll to continue reading.

The cybersecurity firm observed the attackers creating on a vulnerable device a rogue account named OKSDW82A, which had previously been observed in a Helldown incident analyzed by Truesec.

“All of this evidence strongly suggests that Zyxel firewalls have been targeted by Helldown. Details about post-compromise activities indicate that, in at least one intrusion, the attacker’s tactics align with typical ransomware methods,” Sekoia noted.

Shortly after the report, Zyxel issued an advisory confirming that devices that had not been upgraded to firmware version 5.39 were targeted in malicious attacks.

“Zyxel is aware of recent attempts by threat actors to target Zyxel firewalls through previously disclosed vulnerabilities, as reported in Sekoia’s blog post. We confirm that the reported issues are not reproducible on firmware version 5.39, released on September 3, 2024,” Zyxel said.

Users are advised to upgrade to the patched firmware release as soon as possible, or to temporarily disable remote access to firewalls that cannot be patched immediately.

Related: 400,000 Systems Potentially Exposed to 2023’s Most Exploited Flaws

Related: Zyxel Patches Critical Vulnerabilities in Networking Devices

Related: Critical Flaw Exposes Many WiMAX Routers to Attacks

Related: Organizations Slow to Protect Doors Against Hackers: Researcher

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.