Zyxel Devices Targeted by Malicious Actors: Urgent Firmware Update Required
A recent security announcement from security researcher Serhii Boiarynov at the Zyxel EMEA team has uncovered malicious activity targeting Zyxel security appliances. Attackers are exploiting previously known vulnerabilities in the ATP and USG FLEX series to steal credentials and gain unauthorized access via SSL VPN tunnels. This activity has been traced to devices running outdated firmware versions, specifically between ZLD V4.32 and ZLD V5.38.
According to the report, the attackers are using previously stolen credentials that have not been updated. These credentials allow them to create temporary users, such as “SUPPOR87” or “SUPPOR817,” and modify security policies to grant themselves access to the network. “Based on our investigation, the threat actors were able to steal valid credentials from previous vulnerabilities… allowing them to now create SSL VPN tunnels with temporary users,” Boiarynov notes.
Administrators have been advised to look for several indicators that their devices may be compromised. These include:
- SSL VPN connections from suspicious usernames such as “SUPPOR87” or “SUPPOR817.”
- Admin logins from unknown IP addresses, particularly those originating from non-recognized countries.
- Unauthorized changes to security policies, such as opening access from WAN to LAN, or altering NAT rules to allow unrestricted traffic
In more severe cases, attackers may even access Active Directory (AD) servers through compromised VPN connections, encrypting critical files. “The hacker uses the SSL VPN connection to access the AD server and encrypt files,” warns the report.
To protect against these attacks, Zyxel strongly recommends updating devices to the latest firmware, version 5.39, and changing ALL passwords associated with admin accounts, user accounts, and VPN settings. “Proceed to upgrade your device to LATEST Firmware 5.39 if it is still not upgraded,” the report advises.
Additionally, administrators should remove any unknown users, force log out suspicious sessions, and remove firewall rules that allow broad access from WAN or SSL VPN zones. Implementing two-factor authentication (2FA) and changing default ports for SSL VPN access are also highly recommended.
The Zyxel team emphasizes the importance of following security best practices. Administrators should regularly review firewall configurations and ensure that all non-trusted connections are denied by default. The report also highlights the importance of using the GEO IP Country feature to restrict access to specific regions and adding a private encryption key to configuration files.
As malicious actors continue to exploit unpatched vulnerabilities, administrators must remain vigilant in updating their systems and implementing these recommendations. Failing to address these issues could lead to unauthorized access, data encryption, and widespread disruption of network operations.
