Ransomware Helldown

Radovan
Radovan Posts: 2  Freshman Member

Hello,

Please comment on this article: https://www.truesec.com/hub/blog/helldown-ransomware-group 

We have Zywall firewalls deployed at all of our customers and two have already been attacked by Helldown ransomware.

All Replies

  • Omnia
    Omnia Posts: 51  Ally Member
    First Comment Friend Collector Sixth Anniversary

    Hi, we have the same. the problem was that the password are compromised from 5.37/5.38 vulnerability. We have changed all password after the update to 5.39. we have close access to administration page to our ip, Geo-ip defence sslvpn and 2fa for all the user.

    https://community.zyxel.com/en/discussion/26269/zyxel-usg-flex-and-atp-series-upgrading-your-device-and-all-credentials-to-avoid-hackers-attack#latest

  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    edited November 13

    From your link:

    ***************************************************************

    Initial Access

    The Truesec CSIRT have primarily observed the Helldown ransomware group obtaining initial access through Zyxel firewalls. More specifically, one investigation showed that the TA would access the victim’s environment directly from the LAN IP-address of their internet facing Zyxel firewall.

    Based on tests conducted of victims externally facing firewalls, the default behaviour should assign an authenticated SSL-VPN user an IP from a predefined IP-address pool 10.10.11.0/24, and any traffic from a SSL-VPN connected client towards the internal LAN would be sourced from that assigned IP-address. Despite this expected behaviour, traffic was sourced from 192.168.1.1 when the TA authenticated to any of the internal machines in the victims environment. The forensic team was left unable to investigate the underlying operating system of the compromised firewalls, and as such, were unable to positively confirm weather the threat actor utilized the SSL-VPN service to access the victims environment, or if the firewall device itself had been compromised via an exploit. The evidence points towards the latter of the two options.

    The same investigation also showed that a user account was created on the externally facing firewall as part of the compromise. It was not confirmed if the user was created during a possible exploitation of the operating system, or post breach


    ***************************************************************

    I faced the issue on two devices with 5.38 firmware: a USG-FLEX 50 and USG-FLEX 200.To fix, I did this:
    1. put device offline
    2. delete all saved configurations (I didn't trust them anymore)
    3. load a configuration from a file I had saved offline
    4. upgrade firmware
    5. change every password (admins - users - vpn keys)
    6. put device online
    Then I restricted https/ssh access to fixed ip and set 2FA for VPN users.The natted source seems interesting. I confirm that connections came from USG LAN IP.

    I remember that I found a SUPPOR87 between logged users, but I didn't found it in user list.

    I found SSL VPN policies (I use only Ipsec ones) and great scrambling in policy control page.

    At that time, there was no more activity. Attack to LAN was over from many hours, and it's duration had been about an hour.

    The attack was unsuccessful, since no access to active directory was successful. The only outcome was many users locked out for failed logons.

    The attempt was limited to users that had an account also on firewall. The attacker, with control over firewall, took the list of user names and attempted those names against active directory. Don't know if with brute force or with credentials stealed from firewall, but users had other passwords on AD.

    About natted source: I use only IPsec vpns, and there connection is routed (client appears to come from its IP). I suspected that SSL vpns worked the other way, but in that document I read that they are routed too.

    In that document the author wonders how those connections could come from firewall.

    I think that attacker could have simply set port forwarding rules.

    When I realized that firewall was compromised (user logged on, ssl vpns activated, scrambled firewall rules), I focused more on recovery than on looking deeply on what had been changed.

    Has someone kept configuration file from compromised state? It would be interesting to know.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,199  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    edited November 26

    Hi @Radovan and all,

    Recent activity involving threat actors targeting Zyxel security appliances might be affected by previously disclosed vulnerabilities.

    Based on our investigation, we have identified that the admin passwords for these devices have not been changed since the initial vulnerability disclosure.
    If the password was compromised prior to the firmware update, there may still be residual risks even after upgrading to V5.39.

    To fully mitigate potential threats, we strongly recommend the following actions:

    1. Update to firmware V5.39 if you have not already done so.
    2. Change the administrator password immediately after updating.
    3. Review the device’s configuration for any unknown accounts or settings that may have been altered during the breach.
    4. Strongly recommend turning off web GUI access from WAN. If it is necessary, please enable 2FA for admin access and restrict access to specific source IPs.

    For detailed information, please refer to the release notes linked below.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Anthonyy
    Anthonyy Posts: 2  Freshman Member
    First Comment

    I am also facing the same issue.
    any solution available?

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,199  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @Anthonyy

    Could you please share your firewall model and the issue you're experiencing?

    To ensure advanced protection for your network, we recommend updating your firewall to the latest firmware version. As of now, the latest firmware versions are:

    • ZLD Firewall(USG FLEX/ATP): V5.39P1
    • uOS Firewal(USG FLEX H): V1.30P1

    You can find the release notes for these updates here:

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Anthonyy
    Anthonyy Posts: 2  Freshman Member
    First Comment

    Thanks for the reply but my problem is solved, i go through youtube and find some videos of a decryption company and with the help of their decryptor i recovered all my data.

    video link: https://www.youtube.com/watch?v=MI1i3btpXkE

    Website link: https://decryptors.org/helldown-ransomware-decryptor/

  • jeremy_sekoia
    jeremy_sekoia Posts: 2  Freshman Member
    First Comment

    Hello
    I'm CTI Analyst at Sekoia.io
    We also work on helldown, don't hesitate to contact me via this forum or via our address (in the article) to discuss the subject.
    Normally, as mentioned by support, the firewall update fixes the vulnerability.

    https://blog.sekoia.io/helldown-ransomware-an-overview-of-this-emerging-threat/

Security Highlight