Attack ATP 800 - firmware 5.39 - ssl vpn
Hello everyone, we were the victims of a hacker attack last Sunday.
From our perspective, the attackers gained access to our infrastructure by injecting code into the current firmware, creating an SSL VPN group including users and rules.
Everything was detected and switched off early, but our IPSec VPN still crashes at irregular intervals and memory usage continues to increase.
Zyxel support only advised using the firmware that was released 2 weeks later.
Has anyone seen something similar and found a solution?
All Replies
-
Hi @Deuba
From our perspective, the attackers gained access to our infrastructure by injecting code into the current firmware, creating an SSL VPN group including users and rules.
This symptom sounds similar to the CVE we have solved in official firmware V5.39. Have you upgraded to it? Additionally, may I know which firmware version you have been told to use?
Zyxel Melen0 -
@deuba Did you have admin web-page open or with geoip? did you have change password in the last 2 months?
0 -
Hi @Zyxel_Melen
when we were attaked we used the firmware 5.39 since 1 week.
The only response to our support ticket was, that we should use a later firmware.
Now we have running V5.39(ABIQ.0)ITS-24WK36-r114040
But the ipsec vpns disconnect very often and the memory usage grows up that we nee restart the atp.0 -
Hi @Deuba, we have a similar incident, but they have gained access from a SSLVPN user with the right password. Maybe they have created the user in the pass, when you don't have the 2fa? there is other admin without 2fa?
maybe you can check event in secureporter to check when they create the user.0 -
@Deuba check when they have create the user from secureporter, in other case we see they have created the user/admin and have delete it after use
0 -
Hi @Deuba,
Please note that the V5.39 firmware blocks the command injection issue, but we still recommend you change the password of all admins after upgrading the firmware.
Zyxel Melen0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight