Hacked VPN100

WebWorks
WebWorks Posts: 15  Freshman Member
First Comment Fifth Anniversary

Somehow some Hackers gained Access to a VPN 100, created a user, ssl-vpn and some routes.

Then they crypted servers behind the zywall.

Does Zyxel know more about this issue?

Accepted Solution

«13

All Replies

  • WebWorks
    WebWorks Posts: 15  Freshman Member
    First Comment Fifth Anniversary

    Here a follow up. On the night to monday, someone tried to gain access to many zywalls vpn100.

    Starting at 2h for about 4h utc+1. I found traces in many devices. First sign is a configfile with the name zzz1.conf uploaded to the zywall.

    In one case they where successfull to compromise the zywall and to get access to the network.
    In other cases it looks like they got stuck in the attack.

    Since the attack went trough a lot of devices at the same time, I get the impression that they harvested the targets in advance and tried a concentrated attack.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,577  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @WebWorks,

    Thanks for the information. I will send you a private message to collect some basic information. Please check your forum message box.

    Zyxel Melen


  • TGriff
    TGriff Posts: 2  Freshman Member
    First Comment

    Hey @WebWorks,

    Do you have any information that you can share with me about this?
    I am currently investigating something eerily similar.

    I have recently seen a Zyxel FLEX 500 and a ATP200 get compromised, I believe both on V5.38 at that time. On the Flex 500 I found a User account and a SSL VPN created with that same name (OKSDW82A if that means anything but it is probably random).

    Luckily, our AV\EDR\SOC stopped the malicious activity that then originated from that SSLVPN, and we were able to isolate the environment before any damage was done.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,577  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @WebWorks,

    Thanks for providing detailed information in the private message.

    However, the config file you provided is not a config file. I opened it but the content was some random texts. Could you help to check it again? Also, please help us collect the diagnostic info to investigate this issue.

    Zyxel Melen


  • Zyxel_Melen
    Zyxel_Melen Posts: 2,577  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited September 25

    Hi @TGriff,

    Thanks for your info~

    Could you help collect the diagnostic info so we can investigate this issue? I will send you a private message and you may share the file with me in the message.

    Also, please help to upgrade to the latest firmware version 5.39. We have fixed some CVE cases in the latest firmware version.

    Zyxel Melen


  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    I'd like to know, if willing to share, the continent of the compromised devices and if the management port has been changed from the default.

  • WebWorks
    WebWorks Posts: 15  Freshman Member
    First Comment Fifth Anniversary

    Here a basic follow up on this case:

    VPN100 V5.37(ABFV.2), lastest Version for this Device.
    Europe, time in UTC+1 and european summertime, attack monday morning beween 2 and 6am.
    Attacked many VPN100, found the "config file" zzz1.conf on all these devices with this timestamps.
    in one device I found a User account and a SSL VPN created with that same name like OKSDW82A … and also a strange route.
    The access port for the webinterface was changed on all devices and since they all got attacked in the same 4 hours it looks to me like somebody harvested the adresses in advance.
    More information can be provided to zyxel, please tell me how to communicate in a secret way.

  • WebWorks
    WebWorks Posts: 15  Freshman Member
    First Comment Fifth Anniversary

    Another remark to zyxel:

    I use many VPN100, because of VPN Performance and the use of L2TP.
    The existing Flex Series use the same interface and functionality like the VPN Series but lack of VPN Performance.

    So I wanted to implement an new Flex 100H with enhanced VPN performance.
    Bad Idea, Registration to Nebula, missing L2TP VPN, just not found possibilities to adjust neede settings for VOIP ALG, UDP Timeouts, ShellScript to Adjust and so on ….

    So Zyxel, since you have Security Problems with this OLD VPN Series what do you provide as a actual alternative to quickly replace these voulnerable devices?

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,577  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @WebWorks,

    You may send the file to me via the message I sent. You may find the message like below:

    Zyxel Melen


Security Highlight