USG FLEX50W (20W-VPN) Factory Reset Not "5 Seconds" as stated in Manual

SierraTech
SierraTech Posts: 41  Freshman Member
First Comment Friend Collector Sixth Anniversary

Last Saturday, I attempted to perform Factory Reset of USG20W-VPN, since it was compromised with unknown administrators in the User list, on older FW (prior to 5.39).

Below is from the manual (PG 912):

1I Make sure the SYS LED is on and not blinking.
2) Press the RESET button and hold it until the SYS LED begins to blink. (
This usually takes about five seconds.)
3) Release the RESET button, and wait for the Zyxel Device to restart.
You should be able to access the Zyxel Device using the default settings.

I previously had held it 25 Seconds, with SYS LED not coming back on, and after releasing it began to flash. I rebuilt the entire configuration (thinking it RESET to factory), but suffered the same loss of service after two hours of deployment, due to suspicious activity in Session Log Wiz_VPN.

Today, I once again performed a Factory RESET, and low and behold after 35 seconds the SYS LED flashed while depressing the RESET Switch. I again rebuilt the configuration, without risking previous conf file might contain reference to bot.

Router has been running 1.5 hours, and traffic is pretty much flat lined, (which I would expect because office is closed). Don't beleive everything you read.

All Replies

  • smb_corp_user
    smb_corp_user Posts: 168  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    Thank you for the feedback. Very interesting.

  • SierraTech
    SierraTech Posts: 41  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    @smb_corp_user

    Thanks for your comments! I hope someone benefits from my loss of many hours rebuilding twice, to eliminate the hidden VPN BOT, installed by hacker.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,409  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited November 18

    Hi @SierraTech,

    After checking, the User's guide mentions that the time the user presses the reset button to factory reset is about 5 seconds, which is correct information. Additionally, the SYS LED might not blink after you release the reset button since the firewall will reboot after the factory reset process. You can verify if you can log in to the firewall with the default admin & password after the factory reset. The reason your firewall had that configuration is more likely because the admin's password was still the same as before.

    In addition, we also released a new patch that fixed some vulnerabilities last week. We recommend you upgrade to this latest version:

  • SierraTech
    SierraTech Posts: 41  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    @Zyxel_Melen

    Thanks for information.!

    However I have images of unknown traffic being sent out as VPN Traffic after attempting Factory RESET 25 seconds, and rebuilding configuration:

    Unknow VPN Traffic

    Example of TX Data before OFFICE Opened

    Unknown traffic has disappeared after 35 Second Factory Reset. Is it possible Manual is based minimum configuration, as opposed to a compromised Router?

    I also had a bad Modem which caused network to drop a few hours after reboot. I isolated that issue after repairing Router.

  • valerio_vanni
    valerio_vanni Posts: 92  Ally Member
    First Answer First Comment Friend Collector Second Anniversary

    About your "sessions by services" screenshot.

    This is not "vpn traffic": "services", there, means "ports".

    "Wiz_SSLVPN" is only a name for TCP port 443. The line you show tells that 192.168.*.* device has an https connection with destination. The only thing I don't understand is why the "user" column shows "admin".

    In my devices it shows "-" (none). And my condition makes more sense: internal machine estabilishes a connection, It's only traffic routed by firewall device

    Why in your log it's marked as "admin"?

  • SierraTech
    SierraTech Posts: 41  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    @valerio_vanni

    Thanks for clarification on Port 443. I also discovered today a Factory RESET only purges Active firmware partition. I updated 5.38 Partition to 5.39(arb.1) and when I rebooted to the new firmware, I witnessed the same malicious traffic, so I aborted and switched back to 5.39(arb.0) until I can Factory RESET the other partition.

    Again I observed 'admin" traffic immediately (see below):

    I will need to take Router offline and bring to my home office, and clean it out!

Security Highlight