New Users added to Objects after firmware update

inchica
inchica Posts: 10  Freshman Member
First Comment Friend Collector First Anniversary
Hello,

I have a question regarding the ZyWALL 110.

I recently updated the firmware to V4.63(AAAA.0).  Today, I noticed two New Users added to Config > Object > User/Group.  Are these default accounts?  Can I delete them?

User name: manage
User name: zyxel_ts

Current devices: ZyWALL 110

Accepted Solution

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    edited June 2021 Answer ✓

    We’re aware of the situation and have been working our best to investigate and resolve it.

    In the interim, here’s a list of currently known to be the most effective ways to mitigate the impact:”

     

    Scenario#1

    If you allow traffic from Internet to your device with WebGUI and SSL VPN tunnel, you can follow these steps to protect your device.

    1.    Add IP address object(s) to trusted addresses or trusted countries.

    (Configuration > Object > Address/GeoIP)


    2.    Allow trusted IP addresses and Deny others traffic from Internet

    (Configuration > Security Policy > Policy Control)

    #1. You can allow trusted IP addresses and WebGUI/SSL service ports from WAN side for access.

    #2. Deny other IP addresses that you do not trust to access your WebGUI.

     

    3.    Change HTTPS connection port from the default 443 to another port (without conflicting with other services) and make sure that this port is added in policy control rule #1.

    (Configuration > System > WWW)

    Change HTTPS connection port. e.g 17443


    After changing HTTPS Service port, you must reconnect to your device using the new port. If you would like to use SSL VPN tunnel to access your device, make sure that the public IP address of your PC is added in your Trusted IP List. While connecting to your device, make sure to enter the correct port in SecuExtender.



    Scenario#2

    If there is no WebGUI/SSL VPN tunnel required, you can move the default rule (WAN_to_Device) as the first rule and keep the last rule as “deny”.

    (Allowed services are for IPSec VPN/VRRP/GRE)

    Make sure there is no HTTP/HTTPS WebGUI service port in service group.


    We also suggest to change the admin password.

    In addition, you can refer to our latest document “Best Practice to Secure a Distributed Network Infrastructure” to design and secure your network.

«1

All Replies

  • zigandzag
    zigandzag Posts: 6  Freshman Member
    First Comment Third Anniversary
    edited June 2021
    yes - delete them.  Also check to see if a test route was added to VPN > SSL VPN.  If so, you should probably delete that also. 
  • Blabababa
    Blabababa Posts: 151  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited June 2021
    If your https service from wan is enabled, turn it off or change the port to another one.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    edited June 2021 Answer ✓

    We’re aware of the situation and have been working our best to investigate and resolve it.

    In the interim, here’s a list of currently known to be the most effective ways to mitigate the impact:”

     

    Scenario#1

    If you allow traffic from Internet to your device with WebGUI and SSL VPN tunnel, you can follow these steps to protect your device.

    1.    Add IP address object(s) to trusted addresses or trusted countries.

    (Configuration > Object > Address/GeoIP)


    2.    Allow trusted IP addresses and Deny others traffic from Internet

    (Configuration > Security Policy > Policy Control)

    #1. You can allow trusted IP addresses and WebGUI/SSL service ports from WAN side for access.

    #2. Deny other IP addresses that you do not trust to access your WebGUI.

     

    3.    Change HTTPS connection port from the default 443 to another port (without conflicting with other services) and make sure that this port is added in policy control rule #1.

    (Configuration > System > WWW)

    Change HTTPS connection port. e.g 17443


    After changing HTTPS Service port, you must reconnect to your device using the new port. If you would like to use SSL VPN tunnel to access your device, make sure that the public IP address of your PC is added in your Trusted IP List. While connecting to your device, make sure to enter the correct port in SecuExtender.



    Scenario#2

    If there is no WebGUI/SSL VPN tunnel required, you can move the default rule (WAN_to_Device) as the first rule and keep the last rule as “deny”.

    (Allowed services are for IPSec VPN/VRRP/GRE)

    Make sure there is no HTTP/HTTPS WebGUI service port in service group.


    We also suggest to change the admin password.

    In addition, you can refer to our latest document “Best Practice to Secure a Distributed Network Infrastructure” to design and secure your network.

  • Mario
    Mario Posts: 106  Ally Member
    Zyxel Certified Network Engineer Level 1 - Security First Comment Friend Collector Fifth Anniversary
    What does this mean:
    "We’re aware of the situation and have been working our best to investigate and resolve it."
    Aganin a backdoor Account in a firmware upgrgrade?




  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @Mario
    We haven't observed any correlation about black account and we're investigating it and will keep you posted
  • Mario
    Mario Posts: 106  Ally Member
    Zyxel Certified Network Engineer Level 1 - Security First Comment Friend Collector Fifth Anniversary
    @Zyxel_Stanley Thanks for the information, also got the security alert over mail.
    Can you share some details, affectet firmware and IOC?
    @zigandzag writes about addet routes on the firewall, can you confirm?

    Thanks
    Mario
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @Mario
    Based on our investigation so far, a small subset of Zyxel security appliances is targeted. Currently we haven’t observed any direct correlation with specific firmware versions. The most effective way is to check if there is any unknown SSL VPN user account, such as “zyxel_sllvpn”, “zyxel_ts”, or “zyxel_vpn_test”, has been created. If not, your device is not affected, and please follow the mitigations below as a precaution.   

  • inchica
    inchica Posts: 10  Freshman Member
    First Comment Friend Collector First Anniversary
    We had an attack attempt over the weekend.  

    Here is the IP address and ports they used to attempt to access our device:
    191.101.132.5:1943
    191.101.132.5:28693

    They used our private admin accounts - they had the names of our private admin accounts. 

    They were not able to access our device because we had disabled WAN access for admins.  

    I am very concerned that they had knowledge of our private admin names.  

    I will update the firewalls with the latest firmware that Zyxel just released.


  • inchica
    inchica Posts: 10  Freshman Member
    First Comment Friend Collector First Anniversary
    Is there a way to disable the Web GUI from displaying?

    Scenario:  
    1. Enter IP address into web browser
    2. Our Zyxel firewall device Web GUI appears

    We do not want the Web GUI to appear if our IP address is entered into a browser.  Is there a way to disable it?


  • splayer7
    splayer7 Posts: 3
    Friend Collector
    @inchica How did you know you had an attempted attack if WAN was disabled?  I have done the same with mine, but would like to see if I also had an attempt.

Security Highlight