German CERT Warns Zyxel Firewalls Exploited for Helldown Ransomware Deployment

Overview

Zyxel firewalls have come under scrutiny following a wave of attacks leveraging vulnerabilities to deploy Helldown ransomware. A critical directory traversal vulnerability, tracked as CVE-2024-11667, in the Zyxel ZLD firmware (versions 5.00–5.38) has been linked to these breaches.

Attackers exploit this flaw to steal credentials and execute malicious activities, including creating unauthorized VPN connections and modifying security policies.

CERT Germany (CERT-Bund) and Zyxel have issued urgent advisories detailing these threats and recommending immediate action to mitigate risks.

Understanding the Vulnerability: CVE-2024-11667

CVE-2024-11667 is a directory traversal vulnerability in Zyxel’s firewall firmware. It allows attackers to upload or download files via specially crafted URLs, potentially leading to credential theft and unauthorized access.

This vulnerability impacts:

• ATP and USG FLEX series firewalls in on-premise mode.
• Devices running ZLD firmware versions from 4.32 to 5.38 with remote management or SSL VPN enabled.

Devices using Nebula cloud management mode are not affected.

Helldown Ransomware Evolution
Initially observed in August 2024, Helldown has escalated in sophistication, leveraging the CVE-2024-11667 vulnerability in Zyxel USG Flex and ATP firewall series. The vulnerability, though unidentified, appears to allow unauthorized access even on patched systems if account credentials remain unchanged.

Helldown, derived from the infamous LockBit ransomware builder, targets organizations with advanced tactics, including lateral movement within networks. Its leak site has named 32 victims globally, with five German entities suspected as targets, CERT-Bund (BSI) said.

Key Attack Observations

• Attack Vectors: Exploitation of firewall vulnerabilities for initial access.
• Post-Exploitation Tactics: Creation of unauthorized accounts (e.g., “SUPPORT87”), lateral movement, and persistent backdoors.
• Impact: Data exfiltration, encryption of critical assets, and operational disruptions.

Identifying Signs of Compromise

Indicators of a compromised Zyxel firewall include:

1. Unauthorized SSL VPN Connections:
   • VPN accounts such as “SUPPORT87,” “SUPPOR817,” or “VPN” appear in connection logs.
   • Login attempts from non-recognized IP addresses, often routed through VPN services.

2. Modified Security Policies:
   • Policies granting unrestricted access (e.g., “ANY to ANY”) between WAN, LAN, and SSL VPN zones.
   • Changes to NAT rules allowing WAN-to-LAN access.

3. Suspicious Admin Activity:
   • Creation of unauthorized admin accounts.
   • Login attempts from unrecognized IPs.
   • Activity logs in SecuReporter showing unusual administrative actions.

4. AD Server Targeting:
   • Attackers use stolen administrator credentials to access Active Directory (AD) servers via SSL VPN connections, potentially encrypting files.

Steps to Detect and Remediate a Compromised Firewall

Detection

• Check for unknown VPN connections or user accounts in logs.
• Review SecuReporter activity logs for unauthorized admin actions.
• Inspect firewall rules for unusual access permissions.

Remediation

Upgrade Firmware:
Update to ZLD 5.39 or later to patch CVE-2024-11667 and implement security enhancements.

Change Credentials:

• Update passwords for all admin and user accounts (local and Active Directory).
• Change VPN pre-shared keys and external authentication server credentials.

Remove Unauthorized Accounts:

• Delete unrecognized admin and user accounts.
• Force logout for all untrusted sessions.

Review Security Policies:

• Remove rules that allow unrestricted access.
• Ensure policies restrict WAN, LAN, and SSL VPN traffic as needed.

Monitor Logs:
Continuously analyze logs for suspicious activity and unauthorized access attempts.

Best Practices for Securing Zyxel Firewalls

To prevent future compromises, Zyxel recommends the following measures:

Restrict Access:

• Disable remote management if not required.
• Implement IP restrictions for accessing the management interface.

Change Default Ports:

• Modify default HTTPS and SSL VPN ports to reduce exposure.

Enable Two-Factor Authentication (2FA):

• Require 2FA for admin and user logins to strengthen access control.

Geo-Restriction Rules:

• Use Geo-IP filtering to block traffic from untrusted regions.

Encrypt Configuration Files:

• Add private encryption keys to secure configuration files.

Regular Backups and Monitoring:

• Maintain updated backups of firewall configurations.
• Continuously monitor for vulnerabilities using threat intelligence feeds.

Conclusion

The exploitation of Zyxel firewall vulnerabilities underscores the importance of proactive cybersecurity measures. Organizations using affected devices must prioritize firmware updates, strengthen access controls, and actively monitor for suspicious activity.

The Helldown ransomware campaign highlights the dangers of leaving systems exposed to known vulnerabilities. By adopting a layered security approach, including 2FA, IP filtering, and robust monitoring, organizations can effectively safeguard their networks against similar threats.

References:

https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-290907-1032.pdf?__blob=publicationFile&v=3

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024

https://support.zyxel.eu/hc/en-us/articles/21878875707410-Zyxel-USG-FLEX-and-ATP-series-Upgrading-your-device-and-ALL-credentials-to-avoid-hackers-attacks#h_01J9RQPFVV0YYZY0CG3PJT7MAD

https://community.zyxel.com/en/discussion/26764/ransomware-helldown

The post German CERT Warns Zyxel Firewalls Exploited for Helldown Ransomware Deployment appeared first on Cyble.