Ransomware Helldown
All Replies
-
Hi, we have the same. the problem was that the password are compromised from 5.37/5.38 vulnerability. We have changed all password after the update to 5.39. we have close access to administration page to our ip, Geo-ip defence sslvpn and 2fa for all the user.
https://community.zyxel.com/en/discussion/26269/zyxel-usg-flex-and-atp-series-upgrading-your-device-and-all-credentials-to-avoid-hackers-attack#latest0 -
From your link:
***************************************************************
Initial Access
The
Truesec CSIRT
have primarily observed the Helldown ransomware group obtaining initial access through Zyxel firewalls. More specifically, one investigation showed that the TA would access the victim’s environment directly from the LAN IP-address of their internet facing Zyxel firewall.
Based on tests conducted of victims externally facing firewalls, the default behaviour should assign an authenticated SSL-VPN user an IP from a predefined IP-address pool 10.10.11.0/24, and any traffic from a SSL-VPN connected client towards the internal LAN would be sourced from that assigned IP-address. Despite this expected behaviour, traffic was sourced from 192.168.1.1 when the TA authenticated to any of the internal machines in the victims environment. The forensic team was left unable to investigate the underlying operating system of the compromised firewalls, and as such, were unable to positively confirm weather the threat actor utilized the SSL-VPN service to access the victims environment, or if the firewall device itself had been compromised via an exploit. The evidence points towards the latter of the two options.
The same investigation also showed that a user account was created on the externally facing firewall as part of the compromise. It was not confirmed if the user was created during a possible exploitation of the operating system, or post breach
I faced the issue on two devices with 5.38 firmware: a USG-FLEX 50 and USG-FLEX 200.To fix, I did this:
***************************************************************- put device offline
- delete all saved configurations (I didn't trust them anymore)
- load a configuration from a file I had saved offline
- upgrade firmware
- change every password (admins - users - vpn keys)
- put device online
I remember that I found a SUPPOR87 between logged users, but I didn't found it in user list.
I found SSL VPN policies (I use only Ipsec ones) and great scrambling in policy control page.
At that time, there was no more activity. Attack to LAN was over from many hours, and it's duration had been about an hour.
The attack was unsuccessful, since no access to active directory was successful. The only outcome was many users locked out for failed logons.
The attempt was limited to users that had an account also on firewall. The attacker, with control over firewall, took the list of user names and attempted those names against active directory. Don't know if with brute force or with credentials stealed from firewall, but users had other passwords on AD.
About natted source: I use only IPsec vpns, and there connection is routed (client appears to come from its IP). I suspected that SSL vpns worked the other way, but in that document I read that they are routed too.
In that document the author wonders how those connections could come from firewall.
I think that attacker could have simply set port forwarding rules.
When I realized that firewall was compromised (user logged on, ssl vpns activated, scrambled firewall rules), I focused more on recovery than on looking deeply on what had been changed.
Has someone kept configuration file from compromised state? It would be interesting to know.
0 -
Hi @Radovan and all,
Recent activity involving threat actors targeting Zyxel security appliances might be affected by previously disclosed vulnerabilities.
Based on our investigation, we have identified that the admin passwords for these devices have not been changed since the initial vulnerability disclosure.
If the password was compromised prior to the firmware update, there may still be residual risks even after upgrading to V5.39.To fully mitigate potential threats, we strongly recommend the following actions:
- Update to firmware V5.39 if you have not already done so.
- Change the administrator password immediately after updating.
- Review the device’s configuration for any unknown accounts or settings that may have been altered during the breach.
- Strongly recommend turning off web GUI access from WAN. If it is necessary, please enable 2FA for admin access and restrict access to specific source IPs.
For detailed information, please refer to the release notes linked below.
Kay
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0 -
I am also facing the same issue.
any solution available?0 -
Hi @Anthonyy
Could you please share your firewall model and the issue you're experiencing?
To ensure advanced protection for your network, we recommend updating your firewall to the latest firmware version. As of now, the latest firmware versions are:
- ZLD Firewall(USG FLEX/ATP): V5.39P1
- uOS Firewal(USG FLEX H): V1.30P1
You can find the release notes for these updates here:
Kay
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0 -
Thanks for the reply but my problem is solved, i go through youtube and find some videos of a decryption company and with the help of their decryptor i recovered all my data.
video link: https://www.youtube.com/watch?v=MI1i3btpXkE
Website link: https://decryptors.org/helldown-ransomware-decryptor/
0 -
Hello
I'm CTI Analyst at Sekoia.io
We also work on helldown, don't hesitate to contact me via this forum or via our address (in the article) to discuss the subject.
Normally, as mentioned by support, the firewall update fixes the vulnerability.2
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight