Zyxel USG FLEX and ATP series – Upgrading your device and ALL credentials to avoid hackers' attack

Zyxel_Kevin
Zyxel_Kevin Posts: 892  Zyxel Employee
Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
edited October 22 in Security

Zyxel team has been tracking the recent activity of threat actors targeting Zyxel security appliances that were previously subject to vulnerabilities and admin passwords have not been changed since then. Users are advised to update ALL administrators accounts for optimal protection.

Based on our investigation, the threat actors were able to steal valid credentials information from previous vulnerabilities and such credentials were not changed, allowing them to now create SSL VPN tunnels with temporary users, such as “SUPPOR87”, “SUPPOR817” or “vpn”, and modifying the security policies to provide them with access to the device and network.

Affected Products:

ATP, USG FLEX Series in On-Premise Mode with remote management or SSL VPN enabled, at any point of time in the past, and which admin users credentials have NOT being updated or do not have 2FA enabled.

Those running the Nebula cloud management mode are NOT affected.

Affected Firmware Version:  ZLD V4.32 to ZLD 5.38

How to find out if your firewall is affected?

As of time of writing, the symptoms of a compromised firewall exhibit the following:

-SSL VPN connections from suspicious or unknown users, such as 'SUPPORT87,' 'SUPPOR817,' or 'vpn', as well as any VPN users not created by the device administrator, should be flagged for further investigation."

-Admin and SSL VPN user logins from non-recognized IP addresses. While most of the connections are coming from other parts of the world, we have seen hackers connecting from European countries, possibly using other VPN services

-If SecuReporter is enabled for your device, the Activity and Logs shows the attackers connecting using the admins credentials and then creating the SSL VPN users and deleting them after VPN connection is used.

-Security policies created or modify opening access from ANY to ANY or from SSL VPN to Zywall and LAN, as well as opening WAN to LAN for existing NAT rules.

What can you do if you found the above mention points on your device?

Fix Action: Upgrade your device firmware to the LATEST release 5.39

Fix Action: Change ALL your password, DO NOT re-use the same password

-The ALL admin/user role password.

-The Pre-share key of your VPN settings (Remote Access and Site to Site VPN)

-The auth password with external auth server (AD server and Radius),

DO NOT USE User have administrator privilege to communicate external auth server

Fix Action: Remove all existence unknown admin and user accounts if any is still found.

Fix Action: Force Logout users and admins that are not recognized.

Fix Action: Remove firewall rules that are not meant to allow all access from WAN, SSL VPN Zones or Any.

Best Practice of the Firewall configuration

Review the Firewall configuration

· Protect this with the GEO IP Country feature from your location Setup Assistance

· Make sure to set up all other not trusted connections from WAN to ZyWALL into a "deny" rule lower position as the allow rules.

2) Port Changes

[Be careful - so modify Firewall first, and if you self-connect by SSL VPN, it will reconnect you, don't block yourself] · Change the port of HTTPS to another port. Setup Assistance

· Change the port for SSL VPN to another port which does not overlap with HTTPS GUI Port.

3) Setup 2-factor Login Setup Assistiance

4) Add Private Encryption Key for your Configuration File.

Comments

  • Asgatlat
    Asgatlat Posts: 104  Ally Member
    First Comment Friend Collector Seventh Anniversary

    so no problem with ZYWALL 110 model ?

  • jonatan
    jonatan Posts: 189  Master Member
    5 Answers First Comment Friend Collector Seventh Anniversary

    @Zyxel_Kevin

    We have a lot of 110/310/1100 series devices. I am also interested in the question of whether these devices are susceptible to the vulnerabilities found? This is very important for us.

  • Asgatlat
    Asgatlat Posts: 104  Ally Member
    First Comment Friend Collector Seventh Anniversary

    @Zyxel_Kevin

    could you give us an answer ?

  • Asgatlat
    Asgatlat Posts: 104  Ally Member
    First Comment Friend Collector Seventh Anniversary

    should we panic ?

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 892  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @Asgatlat ,

    The Affected Firmware Version is ZLD V4.32 to ZLD 5.38,

    We still recommend taking the advice in the article and considering upgrading your hardware to obtain future security updates.

    Thank you

  • jonatan
    jonatan Posts: 189  Master Member
    5 Answers First Comment Friend Collector Seventh Anniversary
    edited October 25

    @Zyxel_Kevin

    Affected Products:

    ATP, USG FLEX Series in On-Premise Mode with remote management or SSL VPN enabled, at any point of time in the past, and which admin users credentials have NOT being updated or do not have 2FA enabled.

    Those running the Nebula cloud management mode are NOT affected.

    Affected Firmware Version:  ZLD V4.32 to ZLD 5.38

    It is indicated that the ATP and FLEX series are vulnerable. The Zywall series is not mentioned.

  • RickyC
    RickyC Posts: 11  Freshman Member
    First Comment Friend Collector Fourth Anniversary

    Normally you would provide a CVE, but I see it has been a rough 14 months for Zyxel Security and there are a dozen of them. Why am I finding out about this accidently stumbling across it when I come to post a question on another issue? We have received ZERO email notifications from Zyxel in regard. Please be more proactive with email alerts. I am more worried about possible mandated built in back door for China government the way things are going now that Kapersky has been banned from USA. Wasn't this an issue about 4 or 5 years ago?

  • Zyxel_Vic
    Zyxel_Vic Posts: 282  Zyxel Employee
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @jonatan

    Thank you for asking.

    It mainly affects the ATP/FLEX Series products.

  • electsystech
    electsystech Posts: 47  Freshman Member
    First Answer First Comment Friend Collector Fifth Anniversary
    edited November 1

    We found 2 routers, a USG Flex 50 and a VPN 100 that had 2 new SSL VPN security policies added. Both were on 5.37 firmware.

    I disabled them here. The other router we restored from backup and we'll update this one after hours tonight. There are no other users logged into the router. Is this the same issue or is it a new one?

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    Where is the security advisory and announcements for 5.39P1 firmware?