Attack ATP 800 - firmware 5.39 - ssl vpn

Deuba
Deuba Posts: 7  Freshman Member
First Comment Friend Collector Sixth Anniversary

Hello everyone, we were the victims of a hacker attack last Sunday.
From our perspective, the attackers gained access to our infrastructure by injecting code into the current firmware, creating an SSL VPN group including users and rules.
Everything was detected and switched off early, but our IPSec VPN still crashes at irregular intervals and memory usage continues to increase.

Zyxel support only advised using the firmware that was released 2 weeks later.

Has anyone seen something similar and found a solution?

«1

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,572  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Deuba

    From our perspective, the attackers gained access to our infrastructure by injecting code into the current firmware, creating an SSL VPN group including users and rules.

    This symptom sounds similar to the CVE we have solved in official firmware V5.39. Have you upgraded to it? Additionally, may I know which firmware version you have been told to use?

    Zyxel Melen


  • Omnia
    Omnia Posts: 51  Ally Member
    First Comment Friend Collector Sixth Anniversary

    @deuba Did you have admin web-page open or with geoip? did you have change password in the last 2 months?

  • Deuba
    Deuba Posts: 7  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    Hi @Zyxel_Melen
    when we were attaked we used the firmware 5.39 since 1 week.
    The only response to our support ticket was, that we should use a later firmware.
    Now we have running V5.39(ABIQ.0)ITS-24WK36-r114040

    But the ipsec vpns disconnect very often and the memory usage grows up that we nee restart the atp.

  • Omnia
    Omnia Posts: 51  Ally Member
    First Comment Friend Collector Sixth Anniversary

    @Deuba if you haven't change password after the update, the password could be retrive in the past using 5.38 CVE or later

  • Deuba
    Deuba Posts: 7  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    Hi @Omnia
    yes we have admin webpage open but no geoip.
    Admin passwort was changed in last 6 month with 2fa

  • Omnia
    Omnia Posts: 51  Ally Member
    First Comment Friend Collector Sixth Anniversary

    Hi @Deuba, we have a similar incident, but they have gained access from a SSLVPN user with the right password. Maybe they have created the user in the pass, when you don't have the 2fa? there is other admin without 2fa?

    maybe you can check event in secureporter to check when they create the user.

  • Deuba
    Deuba Posts: 7  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    Hi @Omnia,
    all admin users have 2fa.
    No existing user was used. They didnt got admin access otherwise i think they could do a lot much more.
    We have a second atp800 as backup, we are unsure if we replace that active one, if we got attacked again.

  • Omnia
    Omnia Posts: 51  Ally Member
    First Comment Friend Collector Sixth Anniversary

    @Deuba check when they have create the user from secureporter, in other case we see they have created the user/admin and have delete it after use

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,572  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Deuba,

    Please note that the V5.39 firmware blocks the command injection issue, but we still recommend you change the password of all admins after upgrading the firmware.

    Zyxel Melen


  • Deuba
    Deuba Posts: 7  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    Hi @Omnia
    we haven´t activated yet. No Feature we used before.

Security Highlight