Hacked VPN100
Freshman Member
All Replies
-
Here a follow up. On the night to monday, someone tried to gain access to many zywalls vpn100.
Starting at 2h for about 4h utc+1. I found traces in many devices. First sign is a configfile with the name zzz1.conf uploaded to the zywall.
In one case they where successfull to compromise the zywall and to get access to the network.
In other cases it looks like they got stuck in the attack.Since the attack went trough a lot of devices at the same time, I get the impression that they harvested the targets in advance and tried a concentrated attack.
0 -
Hi @WebWorks,
Thanks for the information. I will send you a private message to collect some basic information. Please check your forum message box.
0 -
Hey @WebWorks,
Do you have any information that you can share with me about this?
I am currently investigating something eerily similar.
I have recently seen a Zyxel FLEX 500 and a ATP200 get compromised, I believe both on V5.38 at that time. On the Flex 500 I found a User account and a SSL VPN created with that same name (OKSDW82A if that means anything but it is probably random).
Luckily, our AV\EDR\SOC stopped the malicious activity that then originated from that SSLVPN, and we were able to isolate the environment before any damage was done.0 -
Hi @WebWorks,
Thanks for providing detailed information in the private message.
However, the config file you provided is not a config file. I opened it but the content was some random texts. Could you help to check it again? Also, please help us collect the diagnostic info to investigate this issue.
0 -
Hi @TGriff,
Thanks for your info~
Could you help collect the diagnostic info so we can investigate this issue? I will send you a private message and you may share the file with me in the message.
Also, please help to upgrade to the latest firmware version 5.39. We have fixed some CVE cases in the latest firmware version.
0 -
Please also reference these FAQs to protect your network. If you have taken these actions but still encounter this issue, please help to collect the diagnostic info and share it with us.
0 -
I'd like to know, if willing to share, the continent of the compromised devices and if the management port has been changed from the default.
0 -
Here a basic follow up on this case:
VPN100 V5.37(ABFV.2), lastest Version for this Device.
Europe, time in UTC+1 and european summertime, attack monday morning beween 2 and 6am.
Attacked many VPN100, found the "config file" zzz1.conf on all these devices with this timestamps.
in one device I found a User account and a SSL VPN created with that same name like OKSDW82A … and also a strange route.
The access port for the webinterface was changed on all devices and since they all got attacked in the same 4 hours it looks to me like somebody harvested the adresses in advance.
More information can be provided to zyxel, please tell me how to communicate in a secret way.0 -
Another remark to zyxel:
I use many VPN100, because of VPN Performance and the use of L2TP.
The existing Flex Series use the same interface and functionality like the VPN Series but lack of VPN Performance.So I wanted to implement an new Flex 100H with enhanced VPN performance.
Bad Idea, Registration to Nebula, missing L2TP VPN, just not found possibilities to adjust neede settings for VOIP ALG, UDP Timeouts, ShellScript to Adjust and so on ….So Zyxel, since you have Security Problems with this OLD VPN Series what do you provide as a actual alternative to quickly replace these voulnerable devices?
0 -
Hi @WebWorks,
You may send the file to me via the message I sent. You may find the message like below:
0
Zyxel Employee
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
