[German]Zyxel is currently notifying customers of thread actor attacks via an unknown vulnerability in its USG/ZyWALL, USG FLEX, ATP and VPN series firewall products with ZLD firmware installed in the field. Initial attacks surfacing a new user account in the products have been noticed since Monday. A blog reader alerted me to the issue – thanks for the info.
Advertising
According to the information I have from Zyxel's security alert, they have recently become aware that a threat actor is targeting a small subset of Zyxel security appliances.
Who is affect?
It affects Zyxel products that have remote management or SSL VPN enabled. Specifically, the vendor names products like USG/ZyWALL, USG FLEX, ATP and VPN series with on-premise ZLD firmware. Those using Nebula cloud management mode are not affected..
What happens?
According to Zyxel's security advisory, the threat actor attempts to access a device over the network (WAN). If successful, it bypasses authentication and establishes SSL VPN tunnels with unknown user accounts such as "zyxel_sllvpn", "zyxel_ts" or "zyxel_vpn_test" to manipulate the device's configuration.
Cause for the accesses unknown
The problem is probably that the manufacturer does not know at the moment which vulnerability is used for these attacks. Zyxel writes that they are aware of the situation and have done their best to investigate and fix the security issue. However, the attack vector is still unknown.
Admins should respond quickly
Based on Zyxel's research to date, their product specialists believe that maintaining an appropriate remote access security policy is currently the most effective way to reduce the attack surface. As such, the security specialists strongly recommend that administrators follow the following guidance and SOP:
Advertising
- Unless you need to manage devices from the WAN side, disable HTTP/HTTPS services for access from the wide area network (WAN).
- For those who still need to manage devices via WAN, try the following:
- enable policy control and add rules to allow access only from trusted source IP addresses;
- and additionally enable GeoIP filtering to allow access only from trusted sites.
Zyxel has published this page with the SOP and more details about it. So proactive action by site administrators is critical to mitigate this threat (which I understand has been monitored since Monday).
