Application Security , Fraud Management & Cybercrime , Incident & Breach Response
Researchers Warn Attackers Are Scanning for Zyxel Products
Recently Disclosed Vulnerability Could Create Hard-Coded BackdoorSecurity researchers are warning that attackers appear to have stepped up scanning for vulnerable Zyxel products, including VPN gateways, access point controllers and firewalls.
A vulnerability in the company's firmware, which was first disclosed in December by researchers, can be exploited to install a hard-coded backdoor that could give threat actors remote administrative privileges. Dutch security firm Eye Control, which first uncovered the flaw, believes the bug could affect as many as 100,000 Zyxel products worldwide.
See Also: Effective Communication Is Key to Successful Cybersecurity
Following the disclosure of the vulnerability, Zyxel issued patches in some of its products and is urging its customers to apply them immediately. In the security advisory, however, the company notes that a fix for its NXC access point controller series products would not be released until April (see: 100,000 Zyxel Devices Vulnerable to Backdoor).
And while no exploits have been spotted in the wild to date, researchers have started to notice increased scanning activity for Zyxel products, including a sharp spike since Monday, according to a report from the SANS Institute.
"Likely due to the holidays, and maybe because [Eye Control] did not initially publish the actual password, widespread exploitation via [Secure Shell protocol] has not started until now," says Johannes Ullrich, of the SANS Internet Storm Center. "But we are now seeing attempts to access our SSH honeypots via these default credentials."
The security firm GreyNoise also notes that its scanners have picked up increased Zyzel scanning activity since Monday, especially targeting Zyxel users in small businesses and home offices.
GreyNoise is observing both opportunistic exploitation of the newly discovered Zyxel USG SSH Backdoor and crawling of SOHO Routers. Tags available for all users via the GreyNoise web interface and API now.
— GreyNoise (@GreyNoiseIO) January 4, 2021
hat tip @nathanqthai & @ackmage https://t.co/UgX7dOoHVs pic.twitter.com/p8zIubXdzL
Vulnerability
The vulnerability was discovered by Eye Control researcher Niels Teusink on Dec. 23 after Zyxel pushed out firmware update 4.60 patch 0, according to the report. The flaw was not present within previous versions of the firmware.
The vulnerability involves hard-coded credentials being used to update the firmware in the company's products.
The Eye Control report found that this vulnerability creates an administrative account that does not appear in the products' user interface. It uses "zyfwp" as the username and a publicly visible static plain-text password.
Teusink also found that a threat actor who identified that administrative account could log into the device using the web interface or SSH protocol.
Ullrich notes that since Zyxel products are used by small businesses as firewalls and VPN gateways, many customers cannot protect against an attack if a threat actor was able to exploit the vulnerability.
"There is little in terms of defense in depth that could be applied to protect the device. The default credentials found by Niels are not just limited to FTP. They can be used to access the device as an administrator via SSH," Ullrich notes. "So yet again, we do have a severe 'stupid' vulnerability in a device that is supposed to secure what is left of our perimeter."
Other Warnings
The Multi-State Information Sharing and Analysis Center, or MS-ISAC, also issued an alert Monday stating the vulnerability poses a risk for enterprises and government agencies that use the company's security and networking products.
While no exploits have been spotted in the wild, the MS-ISAC report notes a threat actor could use the vulnerability to gain administrative access to the inner parts of a targeted network and further escalate privileges.
"This could allow the attacker to change firewall settings, intercept traffic and create VPN accounts to gain access to the network behind the device and other administrative functions," according to the MS-ISAC alert.
The vulnerability, which is tracked as CVE-2020-29583, has a CVSS score of 7.8 out of 10, which means it is considered a "high" severity flaw.
The affected models include Zyxel's business-grade devices, which are usually deployed across private enterprise and government networks. Among the affected products are the ATP series, a firewall; the USG series, a hybrid firewall and VPN gateway; the USG FLEX series, also a hybrid firewall and VPN gateway; the VPN series, a VPN gateway; and the NXC series, which is used as a WLAN access point controller.