Zyxel Vulnerability Exploited by Helldown Ransomware Group

The YIR Team (Yarix Incident Response Team), led by incident responder Claudio Vozza, has detailed a recent campaign by the Helldown ransomware group exploiting vulnerabilities in Zyxel devices.

The attack chain began with the exploitation of a vulnerability in Zyxel devices, which granted attackers administrator access to the firewall console. From there, the cybercriminals collected domain credentials and established persistent access. Vozza’s report explains, “This is the case of the exploitation of a vulnerability relating to Zyxel devices, which, once exploited, allowed the threat actor to obtain administrator access to the firewall console and to collect credentials, including those relating to the corporate domain, for subsequent reuse, allowing attackers to compromise the infrastructure.”

Zyxel confirmed the vulnerability on September 3, 2024, recommending immediate firmware updates to mitigate the risk. Despite these advisories, many organizations remained vulnerable, leaving their infrastructure exposed.

Helldown is known for its aggressive tactics, targeting both Windows and Linux systems with advanced ransomware variants. The group often employs double extortion methods, exfiltrating sensitive data and threatening public disclosure if ransom demands are unmet. In this campaign, Helldown:

1. Used VPN Anonymization: The attackers obscured their location through VPN services like Mullvad and NordVPN. As highlighted, “Cybercriminals chose their geolocation appropriately to align with the victim’s country, using VPN services to hide their real origin.”
2. Created Backdoor Accounts: Accounts such as “SUPPOR87” and “vpn” were established on compromised firewalls, allowing recurring access for extended campaigns.
3. Deployed Sophisticated Ransomware: The ransomware was specifically tailored for both Windows and Linux environments, including ESXi servers. The file encryption was accompanied by ransom notes threatening data publication on the dark web.

Helldown demonstrated remarkable sophistication, employing tools like:

• Mimikatz for credential harvesting, enabling deeper infiltration.
• Advanced IP Scanner, renamed to “i.exe,” for network reconnaissance.
• Custom PowerShell commands to deploy ransomware across devices.
• Direct use of SCP (Secure Copy Protocol) and OpenSSH for transferring ransomware to ESXi servers.

The group’s activities included manually killing active virtual machine processes on ESXi servers before initiating encryption. The report detailed, “The ransomware file in question, upon its execution encrypted the data contained in the system and within the active network shares, applying the extension “.locklocklock” to the impacted files and releasing the ransom note named ‘Readme-locklocklock.txt’.”

Helldown’s campaign spanned multiple geographies, with significant activity observed in Italy, Singapore, and other locations.

Related Posts:

• CVE-2024-42057: Exploited by Helldown Ransomware to Target Linux
• CVE-2024-11667: Critical Vulnerability in Zyxel Firewalls Actively Exploited
• Zyxel Devices Targeted by Malicious Actors: Urgent Firmware Update Required
• Two Actively Exploited Zyxel Vulnerabilities