German CERT Warns Zyxel Firewalls Exploited For Helldown Ransomware Deployment

Overview

Zyxel firewalls have come below scrutiny following a wave of assaults leveraging vulnerabilities to deploy Helldown ransomware. A essential listing traversal vulnerability, tracked as CVE-2024-11667, within the Zyxel ZLD firmware (variations 5.00–5.38) has been linked to those breaches.

Attackers exploit this flaw to steal credentials and execute malicious actions, together with creating unauthorized VPN connections and modifying safety insurance policies.

CERT Germany (CERT-Bund) and Zyxel have issued pressing advisories detailing these threats and recommending rapid motion to mitigate dangers.

Understanding the Vulnerability: CVE-2024-11667

CVE-2024-11667 is a listing traversal vulnerability in Zyxel’s firewall firmware. It permits attackers to add or obtain recordsdata by way of specifically crafted URLs, probably resulting in credential theft and unauthorized entry.

This vulnerability impacts:

ATP and USG FLEX collection firewalls in on-premise mode.
Units working ZLD firmware variations from 4.32 to five.38 with distant administration or SSL VPN enabled.

Units utilizing Nebula cloud administration mode are not affected.

Helldown Ransomware Evolution

Initially noticed in August 2024, Helldown has escalated in sophistication, leveraging the CVE-2024-11667 vulnerability in Zyxel USG Flex and ATP firewall collection. The vulnerability, although unidentified, seems to permit unauthorized entry even on patched methods if account credentials stay unchanged.

Helldown, derived from the notorious LockBit ransomware builder, targets organizations with superior techniques, together with lateral motion inside networks. Its leak website has named 32 victims globally, with 5 German entities suspected as targets, CERT-Bund (BSI) mentioned.

Key Assault Observations

Assault Vectors: Exploitation of firewall vulnerabilities for preliminary entry.
Publish-Exploitation Ways: Creation of unauthorized accounts (e.g., “SUPPORT87”), lateral motion, and chronic backdoors.
Impression: Knowledge exfiltration, encryption of essential property, and operational disruptions.

Figuring out Indicators of Compromise

Indicators of a compromised Zyxel firewall embody:

Unauthorized SSL VPN Connections:
- VPN accounts comparable to “SUPPORT87,” “SUPPOR817,” or “VPN” seem in connection logs.
- Login makes an attempt from non-recognized IP addresses, typically routed via VPN companies.
Modified Safety Insurance policies:
- Insurance policies granting unrestricted entry (e.g., “ANY to ANY”) between WAN, LAN, and SSL VPN zones.
- Adjustments to NAT guidelines permitting WAN-to-LAN entry.
Suspicious Admin Exercise:
- Creation of unauthorized admin accounts.
- Login makes an attempt from unrecognized IPs.
- Exercise logs in SecuReporter displaying uncommon administrative actions.
AD Server Concentrating on:
- Attackers use stolen administrator credentials to entry Energetic Listing (AD) servers by way of SSL VPN connections, probably encrypting recordsdata.

Steps to Detect and Remediate a Compromised Firewall

Detection

Verify for unknown VPN connections or person accounts in logs.
Overview SecuReporter exercise logs for unauthorized admin actions.
Examine firewall guidelines for uncommon entry permissions.

Remediation

Improve Firmware:
Replace to ZLD 5.39 or later to patch CVE-2024-11667 and implement safety enhancements.

Change Credentials:

Replace passwords for all admin and person accounts (native and Energetic Listing).
Change VPN pre-shared keys and exterior authentication server credentials.

Take away Unauthorized Accounts:

Delete unrecognized admin and person accounts.
Pressure logout for all untrusted periods.

Overview Safety Insurance policies:

Take away guidelines that enable unrestricted entry.
Guarantee insurance policies prohibit WAN, LAN, and SSL VPN visitors as wanted.

Monitor Logs:
Constantly analyze logs for suspicious exercise and unauthorized entry makes an attempt.

Greatest Practices for Securing Zyxel Firewalls

To forestall future compromises, Zyxel recommends the next measures:

Limit Entry:

Disable distant administration if not required.
Implement IP restrictions for accessing the administration interface.

Change Default Ports:

Modify default HTTPS and SSL VPN ports to scale back publicity.

Allow Two-Issue Authentication (2FA):

Require 2FA for admin and person logins to strengthen entry management.

Geo-Restriction Guidelines:

Use Geo-IP filtering to dam visitors from untrusted areas.

Encrypt Configuration Information:

Add personal encryption keys to safe configuration recordsdata.

Common Backups and Monitoring:

Keep up to date backups of firewall configurations.
Constantly monitor for vulnerabilities utilizing menace intelligence feeds.

Conclusion

The exploitation of Zyxel firewall vulnerabilities underscores the significance of proactive cybersecurity measures. Organizations utilizing affected units should prioritize firmware updates, strengthen entry controls, and actively monitor for suspicious exercise.

The Helldown ransomware marketing campaign highlights the risks of leaving methods uncovered to identified vulnerabilities. By adopting a layered safety strategy, together with 2FA, IP filtering, and strong monitoring, organizations can successfully safeguard their networks in opposition to comparable threats.