– A host of security researchers are warning private sector organizations that threat actors are actively targeting a critical vulnerability found in Zyxel Communication platforms, in an effort to take over the device.
Zyxel products are commonly used by small businesses for use as a firewall or a Virtual Private Network (VPN) gateway. The flaw impacts Zyxel Firewall ATP, USG, USG FLEX, and VPN version 4.60, and Zyxel AP Controllers NXC2500 and NXC5500 version 6.10.
Security researcher Niels Teusink first uncovered the vulnerability, caused by the devices’ use of an undocumented account, zyfwp, which contains an unchangeable password. The password is easily found in cleartext within the firmware.
A successful exploit would allow an attacker to change firewall settings, install malicious code, or launch man-in-the-middle cyberattacks. The hardcoded credential vulnerability in its firewalls and AP controllers received a CVSS score of 7.8 out of 10.
“A hardcoded credential vulnerability was identified in the “zyfwp” user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP,” officials explained.
Researchers noted that the flaw occurs not only due to the fixed password, but as the password was also sent in clear text over FTP.
“There is little in terms of defense in depth that could be applied to protect the device, and in SSH and the VPN endpoint via HTTPS are often exposed,” Internet Storm Center researchers explained. “The default credentials found by Niels are not just limited to FTP. They can be used to access the device as an administrator via SSH.”
Thus, the flaw essentially acts as a backdoor for cybercriminals and impacts all Zyxel products using the same firmware. A software update was released for the flaw on December 23, but at least 100,000 devices remain vulnerable to attack.
At the start of the year, researchers observed a drastic increase in attempted exploits. The scans are targeting IP addresses 18.104.22.168, 22.214.171.124, and 126.96.36.199.
To Teusink, the concern is most users do not routinely update the firmware of their devices. And while Zyxel offers automatic updates, it’s not enabled by default. As such, administrators will need to apply the previously provided update to close off access to hackers.
GreyNoise researchers have also observed these “opportunistic exploitation” attacks targeting the Zyxel backdoor and crawling of SOHO routers. These automated attacks leverage account credentials to log into the vulnerable devices.
The threat actors are adding credentials to previous lists of default credential combinations that are commonly used to hack into vulnerable endpoints.
Multi-State Information Sharing and Analysis Center (MS-ISAC) also released an advisory on the flaw on January 4, which warns these exploits could provide an attacker with administrative access.
MS-ISAC urged all organizations to apply the software updates provided by Zyxel immediately after applying appropriate testing. All software should be run as a non-privileged user, which will reduce the impact of a successful exploit.
Further, employees should be reminded to not visit any untrusted websites, including links provided by unknown or untrusted sources. Administrators should also retrain and educate all users on the threats posed by hyperlink texts sent in emails or attachments, particularly from unknown sources.
Lastly, entities must employ the principle of least privilege to all systems and services.
Patch prioritization is critical in light of the spike in scans for this flaw, especially as previous reports found nation-state actors actively engaging in a massive scanning campaign of unpatched, vulnerable endpoints.
Endpoint exploitation provides hackers with a foothold onto the network, and with the current sophisticated evasion techniques that allow hackers to hide on the network undetected, securing all vulnerabilities is paramount.