Zyxel, a manufacturer of enterprise routers and VPN devices, has issued a notification that attackers are targeting its devices and changing configurations to gain remote access to a network.
According to Zyxel, the attacks targeted the USG, ZyWALL, USG FLEX, ATP, and VPN series using on-premise ZLD firmware. All are multi-purpose networking devices that the company sells to enterprise customers as systems that include VPN, firewall, and load balancing.
The company stated in an email, “We recently became aware of a sophisticated threat actor targeting a small subset of Zyxel security appliances that have remote management or SSL VPN enabled.”
As per the vendor’s information, the attacks appear to follow the following pattern:
The threat actor tries to access a device through WAN, if successful, the threat actor bypasses the authentication and establishes SSL VPN tunnels with unknown user accounts, such as “zyxel slIvpn”, “zyxel ts”, or “zyxel vpn test”, to change the device’s configuration.
Zyxel spokespersons in the United States and the United Kingdom have not responded to requests for additional information.
At the time of writing, it is unknown whether the attacker is targeting unpatched devices using an existing vulnerability or a never-before-seen flaw known as a “zero-day” in cyber-security circles.
It’s also unclear whether the assaults have already resulted in security breaches at any of Zyxel’s customers or if the vendor discovered the attack early with honeytraps and is now alerting clients ahead of a potentially larger wave of incoming attacks.
Despite this, the vendor appears to feel that the attacks may be avoided.
As per the research, The Record experts advised maintaining a proper security policy for remote access is currently the most effective way to reduce the attack surface and certain points must be noted:
1. Unless you must manage devices from the WAN side, disable HTTP/HTTPS services from WAN.
2. If you still need to manage devices from the WAN side:
• enable Policy Control and add rules to only allow access from trusted source IP addresses; and
• enable GeolP filtering to only allow access from trusted locations.
The attacks against Zyxel devices come after a series of similar attacks on a variety of VPN devices, which provide a convenient way for remote attackers to get persistent access to a corporate network.
Over the past years, Pulse Secure, Palo Alto Networks, Fortinet, Citrix, Cisco, Sonicwall, Sophos, and F5 Networks have all been targeted by a series of attacks on their firewalls, DNS servers, and load balancers. Cyber-espionage and financially motivated groups that seek to steal sensitive information frequently target these devices.