New Users added to Objects after firmware update

inchica
inchica Posts: 10
Hello,

I have a question regarding the ZyWALL 110.

I recently updated the firmware to V4.63(AAAA.0).  Today, I noticed two New Users added to Config > Object > User/Group.  Are these default accounts?  Can I delete them?

User name: manage
User name: zyxel_ts

Current devices: ZyWALL 110

Accepted Solution

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,100  Zyxel Employee
    edited June 2021 Answer ✓

    We’re aware of the situation and have been working our best to investigate and resolve it.

    In the interim, here’s a list of currently known to be the most effective ways to mitigate the impact:”

     

    Scenario#1

    If you allow traffic from Internet to your device with WebGUI and SSL VPN tunnel, you can follow these steps to protect your device.

    1.    Add IP address object(s) to trusted addresses or trusted countries.

    (Configuration > Object > Address/GeoIP)


    2.    Allow trusted IP addresses and Deny others traffic from Internet

    (Configuration > Security Policy > Policy Control)

    #1. You can allow trusted IP addresses and WebGUI/SSL service ports from WAN side for access.

    #2. Deny other IP addresses that you do not trust to access your WebGUI.

     

    3.    Change HTTPS connection port from the default 443 to another port (without conflicting with other services) and make sure that this port is added in policy control rule #1.

    (Configuration > System > WWW)

    Change HTTPS connection port. e.g 17443


    After changing HTTPS Service port, you must reconnect to your device using the new port. If you would like to use SSL VPN tunnel to access your device, make sure that the public IP address of your PC is added in your Trusted IP List. While connecting to your device, make sure to enter the correct port in SecuExtender.



    Scenario#2

    If there is no WebGUI/SSL VPN tunnel required, you can move the default rule (WAN_to_Device) as the first rule and keep the last rule as “deny”.

    (Allowed services are for IPSec VPN/VRRP/GRE)

    Make sure there is no HTTP/HTTPS WebGUI service port in service group.


    We also suggest to change the admin password.

    In addition, you can refer to our latest document “Best Practice to Secure a Distributed Network Infrastructure” to design and secure your network.

«1

All Replies

  • zigandzag
    zigandzag Posts: 6
    edited June 2021
    yes - delete them.  Also check to see if a test route was added to VPN > SSL VPN.  If so, you should probably delete that also. 
  • Blabababa
    Blabababa Posts: 142  Ally Member
    edited June 2021
    If your https service from wan is enabled, turn it off or change the port to another one.
  • Mario
    Mario Posts: 89  Ally Member
    What does this mean:
    "We’re aware of the situation and have been working our best to investigate and resolve it."
    Aganin a backdoor Account in a firmware upgrgrade?




  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,100  Zyxel Employee
    Hi @Mario
    We haven't observed any correlation about black account and we're investigating it and will keep you posted
  • Mario
    Mario Posts: 89  Ally Member
    @Zyxel_Stanley Thanks for the information, also got the security alert over mail.
    Can you share some details, affectet firmware and IOC?
    @zigandzag writes about addet routes on the firewall, can you confirm?

    Thanks
    Mario
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,100  Zyxel Employee
    Hi @Mario
    Based on our investigation so far, a small subset of Zyxel security appliances is targeted. Currently we haven’t observed any direct correlation with specific firmware versions. The most effective way is to check if there is any unknown SSL VPN user account, such as “zyxel_sllvpn”, “zyxel_ts”, or “zyxel_vpn_test”, has been created. If not, your device is not affected, and please follow the mitigations below as a precaution.   

  • inchica
    inchica Posts: 10
    We had an attack attempt over the weekend.  

    Here is the IP address and ports they used to attempt to access our device:
    191.101.132.5:1943
    191.101.132.5:28693

    They used our private admin accounts - they had the names of our private admin accounts. 

    They were not able to access our device because we had disabled WAN access for admins.  

    I am very concerned that they had knowledge of our private admin names.  

    I will update the firewalls with the latest firmware that Zyxel just released.


  • inchica
    inchica Posts: 10
    Is there a way to disable the Web GUI from displaying?

    Scenario:  
    1. Enter IP address into web browser
    2. Our Zyxel firewall device Web GUI appears

    We do not want the Web GUI to appear if our IP address is entered into a browser.  Is there a way to disable it?


  • splayer7
    splayer7 Posts: 3
    @inchica How did you know you had an attempted attack if WAN was disabled?  I have done the same with mine, but would like to see if I also had an attempt.

Security Highlight