Attack ATP 800 - firmware 5.39 - ssl vpn

Deuba · 12:46AM

Hello everyone, we were the victims of a hacker attack last Sunday.
From our perspective, the attackers gained access to our infrastructure by injecting code into the current firmware, creating an SSL VPN group including users and rules.
Everything was detected and switched off early, but our IPSec VPN still crashes at irregular intervals and memory usage continues to increase.

Zyxel support only advised using the firmware that was released 2 weeks later.

Has anyone seen something similar and found a solution?

Zyxel_Melen · 7:45AM

Hi @Deuba

From our perspective, the attackers gained access to our infrastructure by injecting code into the current firmware, creating an SSL VPN group including users and rules.

This symptom sounds similar to the CVE we have solved in official firmware V5.39. Have you upgraded to it? Additionally, may I know which firmware version you have been told to use?

Omnia · 8:19AM

@deuba Did you have admin web-page open or with geoip? did you have change password in the last 2 months?

Deuba · 8:50AM

https://community.zyxel.com/en/discussion/comment/71123#Comment_71123

Hi @Zyxel_Melen
when we were attaked we used the firmware 5.39 since 1 week.
The only response to our support ticket was, that we should use a later firmware.
Now we have running V5.39(ABIQ.0)ITS-24WK36-r114040

But the ipsec vpns disconnect very often and the memory usage grows up that we nee restart the atp.

Omnia · 8:56AM

https://community.zyxel.com/en/discussion/comment/71128#Comment_71128

@Deuba if you haven't change password after the update, the password could be retrive in the past using 5.38 CVE or later

Deuba · 8:57AM

Hi @Omnia
yes we have admin webpage open but no geoip.
Admin passwort was changed in last 6 month with 2fa

Omnia · 9:08AM

Hi @Deuba, we have a similar incident, but they have gained access from a SSLVPN user with the right password. Maybe they have created the user in the pass, when you don't have the 2fa? there is other admin without 2fa?

maybe you can check event in secureporter to check when they create the user.

Deuba · 9:29AM

Hi @Omnia,
all admin users have 2fa.
No existing user was used. They didnt got admin access otherwise i think they could do a lot much more.
We have a second atp800 as backup, we are unsure if we replace that active one, if we got attacked again.

Omnia · 9:35AM

@Deuba check when they have create the user from secureporter, in other case we see they have created the user/admin and have delete it after use

Zyxel_Melen · 10:06AM

Hi @Deuba,

Please note that the V5.39 firmware blocks the command injection issue, but we still recommend you change the password of all admins after upgrading the firmware.

Deuba · 10:19AM

https://community.zyxel.com/en/discussion/comment/71141#Comment_71141

Hi @Omnia
we haven´t activated yet. No Feature we used before.

Attack ATP 800 - firmware 5.39 - ssl vpn

All Replies

Categories

Security Highlight

Security Help Center