Zyxel USG FLEX and ATP series – Upgrading your device and ALL credentials to avoid hackers' attack

Zyxel team has been tracking the recent activity of threat actors targeting Zyxel security appliances that were previously subject to vulnerabilities and admin passwords have not been changed since then. Users are advised to update ALL administrators accounts for optimal protection.

Based on our investigation, the threat actors were able to steal valid credentials information from previous vulnerabilities and such credentials were not changed, allowing them to now create SSL VPN tunnels with temporary users, such as “SUPPOR87”, “SUPPOR817” or “vpn”, and modifying the security policies to provide them with access to the device and network.

Affected Products:

ATP, USG FLEX Series in On-Premise Mode with remote management or SSL VPN enabled, at any point of time in the past, and which admin users credentials have NOT being updated or do not have 2FA enabled.

Those running the Nebula cloud management mode are NOT affected.

Affected Firmware Version:  ZLD V4.32 to ZLD 5.38

How to find out if your firewall is affected?

As of time of writing, the symptoms of a compromised firewall exhibit the following:

-SSL VPN connections from suspicious or unknown users, such as 'SUPPORT87,' 'SUPPOR817,' or 'vpn', as well as any VPN users not created by the device administrator, should be flagged for further investigation."

-Admin and SSL VPN user logins from non-recognized IP addresses. While most of the connections are coming from other parts of the world, we have seen hackers connecting from European countries, possibly using other VPN services

-If SecuReporter is enabled for your device, the Activity and Logs shows the attackers connecting using the admins credentials and then creating the SSL VPN users and deleting them after VPN connection is used.

-Security policies created or modify opening access from ANY to ANY or from SSL VPN to Zywall and LAN, as well as opening WAN to LAN for existing NAT rules.

What can you do if you found the above mention points on your device?

Fix Action: Upgrade your device firmware to the LATEST release 5.39

Fix Action: Change ALL your password, DO NOT re-use the same password

-The ALL admin/user role password.

-The Pre-share key of your VPN settings (Remote Access and Site to Site VPN)

-The auth password with external auth server (AD server and Radius),

DO NOT USE User have administrator privilege to communicate external auth server

Fix Action: Remove all existence unknown admin and user accounts if any is still found.

Fix Action: Force Logout users and admins that are not recognized.

Fix Action: Remove firewall rules that are not meant to allow all access from WAN, SSL VPN Zones or Any.

Best Practice of the Firewall configuration

Review the Firewall configuration

· Protect this with the GEO IP Country feature from your location Setup Assistance

· Make sure to set up all other not trusted connections from WAN to ZyWALL into a "deny" rule lower position as the allow rules.

2) Port Changes

[Be careful - so modify Firewall first, and if you self-connect by SSL VPN, it will reconnect you, don't block yourself] · Change the port of HTTPS to another port. Setup Assistance

· Change the port for SSL VPN to another port which does not overlap with HTTPS GUI Port.

3) Setup 2-factor Login Setup Assistiance

4) Add Private Encryption Key for your Configuration File.