Zyxel USG FLEX and ATP series – Upgrading your device and ALL credentials to avoid hackers' attack
Zyxel team has been tracking the recent activity of threat actors targeting Zyxel security appliances that were previously subject to vulnerabilities and admin passwords have not been changed since then. Users are advised to update ALL administrators accounts for optimal protection.
Based on our investigation, the threat actors were able to steal valid credentials information from previous vulnerabilities and such credentials were not changed, allowing them to now create SSL VPN tunnels with temporary users, such as “SUPPOR87”, “SUPPOR817” or “vpn”, and modifying the security policies to provide them with access to the device and network.
Affected Products:
ATP, USG FLEX Series in On-Premise Mode with remote management or SSL VPN enabled, at any point of time in the past, and which admin users credentials have NOT being updated or do not have 2FA enabled.
Those running the Nebula cloud management mode are NOT affected.
Affected Firmware Version: ZLD V4.32 to ZLD 5.38
How to find out if your firewall is affected?
As of time of writing, the symptoms of a compromised firewall exhibit the following:
-SSL VPN connections from suspicious or unknown users, such as 'SUPPORT87,' 'SUPPOR817,' or 'vpn', as well as any VPN users not created by the device administrator, should be flagged for further investigation."
-Admin and SSL VPN user logins from non-recognized IP addresses. While most of the connections are coming from other parts of the world, we have seen hackers connecting from European countries, possibly using other VPN services
-If SecuReporter is enabled for your device, the Activity and Logs shows the attackers connecting using the admins credentials and then creating the SSL VPN users and deleting them after VPN connection is used.
-Security policies created or modify opening access from ANY to ANY or from SSL VPN to Zywall and LAN, as well as opening WAN to LAN for existing NAT rules.
What can you do if you found the above mention points on your device?
Fix Action: Upgrade your device firmware to the LATEST release 5.39
Fix Action: Change ALL your password, DO NOT re-use the same password
-The ALL admin/user role password.
-The Pre-share key of your VPN settings (Remote Access and Site to Site VPN)
-The auth password with external auth server (AD server and Radius),
DO NOT USE User have administrator privilege to communicate external auth server
Fix Action: Remove all existence unknown admin and user accounts if any is still found.
Fix Action: Force Logout users and admins that are not recognized.
Fix Action: Remove firewall rules that are not meant to allow all access from WAN, SSL VPN Zones or Any.
Best Practice of the Firewall configuration
Review the Firewall configuration
· Protect this with the GEO IP Country feature from your location Setup Assistance
· Make sure to set up all other not trusted connections from WAN to ZyWALL into a "deny" rule lower position as the allow rules.
2) Port Changes
[Be careful - so modify Firewall first, and if you self-connect by SSL VPN, it will reconnect you, don't block yourself] · Change the port of HTTPS to another port. Setup Assistance
· Change the port for SSL VPN to another port which does not overlap with HTTPS GUI Port.
3) Setup 2-factor Login Setup Assistiance
4) Add Private Encryption Key for your Configuration File.
Comments
-
so no problem with ZYWALL 110 model ?
0 -
We have a lot of 110/310/1100 series devices. I am also interested in the question of whether these devices are susceptible to the vulnerabilities found? This is very important for us.
0 -
could you give us an answer ?
1 -
should we panic ?
0 -
Hi @Asgatlat ,
The Affected Firmware Version is ZLD V4.32 to ZLD 5.38,
We still recommend taking the advice in the article and considering upgrading your hardware to obtain future security updates.
Thank you
0 -
Affected Products:
ATP, USG FLEX Series in On-Premise Mode with remote management or SSL VPN enabled, at any point of time in the past, and which admin users credentials have NOT being updated or do not have 2FA enabled.
Those running the Nebula cloud management mode are NOT affected.
Affected Firmware Version: ZLD V4.32 to ZLD 5.38
It is indicated that the ATP and FLEX series are vulnerable. The Zywall series is not mentioned.
1 -
Normally you would provide a CVE, but I see it has been a rough 14 months for Zyxel Security and there are a dozen of them. Why am I finding out about this accidently stumbling across it when I come to post a question on another issue? We have received ZERO email notifications from Zyxel in regard. Please be more proactive with email alerts. I am more worried about possible mandated built in back door for China government the way things are going now that Kapersky has been banned from USA. Wasn't this an issue about 4 or 5 years ago?
0 -
We found 2 routers, a USG Flex 50 and a VPN 100 that had 2 new SSL VPN security policies added. Both were on 5.37 firmware.
I disabled them here. The other router we restored from backup and we'll update this one after hours tonight. There are no other users logged into the router. Is this the same issue or is it a new one?
0 -
Where is the security advisory and announcements for 5.39P1 firmware?
1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight