Zyxel USG FLEX and ATP series – Upgrading your device and ALL credentials to avoid hackers' attack.

Zyxel_Kevin

Zyxel team has been tracking the recent activity of threat actors targeting Zyxel security appliances that were previously subject to vulnerabilities and admin passwords have not been changed since then. Users are advised to update ALL administrators accounts for optimal protection.

Based on our investigation, the threat actors were able to steal valid credentials information from previous vulnerabilities and such credentials were not changed, allowing them to now create SSL VPN tunnels with temporary users, such as “SUPPOR87”, “SUPPOR817” or “vpn”, and modifying the security policies to provide them with access to the device and network.

Affected Products:

ATP, USG FLEX Series in On-Premise Mode with remote management or SSL VPN enabled, at any point of time in the past, and which admin users credentials have NOT being updated or do not have 2FA enabled.

Those running the Nebula cloud management mode are NOT affected.

Affected Firmware Version:  ZLD V4.32 to ZLD 5.38

How to find out if your firewall is affected?

As of time of writing, the symptoms of a compromised firewall exhibit the following:

-SSL VPN connection from user(s) “SUPPORT87”, “SUPPOR817” and “vpn” or the VPN user you created

-Admin logins from non-recognized IP addresses. We have seen login using admin credentials from IP addresses coming from Singapore but also the attackers seem to use VPN as we have seen connections coming from within Europe.

-If SecuReporter is enabled for your device, the Activity and Logs shows the attackers connecting using the admins credentials and then creating the SSL VPN users and deleting them after VPN connection is used.

-Security policies created or modify opening access from ANY to ANY or from SSL VPN to Zywall and LAN, as well as opening WAN to LAN for existing NAT rules.

What can you do if you found the above mention points on your device?

Fix Action: Upgrade your device firmware to the LATEST release 5.39

Fix Action: Change ALL your password, DO NOT re-use the same password

-The ALL admin/user role password.

-The Pre-share key of your VPN settings (Remote Access and Site to Site VPN)

-The auth password with external auth server (AD server and Radius),

DO NOT USE User have administrator privilege to communicate external auth server

Fix Action: Remove all existence unknown admin and user accounts if any is still found.

Fix Action: Force Logout users and admins that are not recognized.

Fix Action: Remove firewall rules that are not meant to allow all access from WAN, SSL VPN Zones or Any.

Best Practice of the Firewall configuration

Review the Firewall configuration

· Protect this with the GEO IP Country feature from your location Setup Assistance

· Make sure to set up all other not trusted connections from WAN to ZyWALL into a "deny" rule lower position as the allow rules.

2) Port Changes

[Be careful - so modify Firewall first, and if you self-connect by SSL VPN, it will reconnect you, don't block yourself] · Change the port of HTTPS to another port. Setup Assistance

· Change the port for SSL VPN to another port which does not overlap with HTTPS GUI Port.

3) Setup 2-factor Login Setup Assistiance

4) Add Private Encryption Key for your Configuration File.

Asgatlat

so no problem with ZYWALL 110 model ?

jonatan

@Zyxel_Kevin

We have a lot of 110/310/1100 series devices. I am also interested in the question of whether these devices are susceptible to the vulnerabilities found? This is very important for us.