Hackers Actively Deploying Zyxel Firewall Flaw To Deploy Ransomware

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Cybersecurity experts have uncovered a wave of attacks exploiting vulnerabilities in Zyxel firewall to deploy the Helldown ransomware.

This new ransomware operation, first observed in August 2024, has quickly gained traction, targeting organizations worldwide and compromising their networks through security gaps in Zyxel’s firewall systems.

At the heart of these attacks is a critical directory traversal vulnerability, tracked as CVE-2024-11667, affecting Zyxel ZLD firmware versions 5.00 through 5.38.

This flaw allows attackers to download or upload files via a crafted URL, potentially leading to unauthorized access and malicious activities within the targeted networks.

However, security researchers observed that the company has taken swift action to address several security concerns, including this vulnerability as well.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Technical Analysis

The Helldown ransomware group has been observed exploiting this vulnerability to:-

  1. Gain initial access to corporate networks
  2. Create unauthorized accounts (e.g., “SUPPORT87”, “OKSDW82A”)
  3. Establish secure connections via SSL VPN
  4. Move laterally within the compromised networks
  5. Disable endpoint defenses
  6. Exfiltrate sensitive data
  7. Encrypt critical assets

The attacks have had significant repercussions:-

  • Zyxel Europe itself was reportedly among the victims
  • At least 32 victims globally have been listed on Helldown’s data leak site
  • Five German entities are suspected targets, according to CERT-Bund (BSI)

While here below we have mentioned the complete timeline:-

  • Initial Release: November 21, 2024
  • Update: November 27, 2024 – CVE description updated
  • Current Date: November 29, 2024

To protect your network and prevent potential attacks, Zyxel strongly recommends the following proactive measures:-

  1. Update Firmware: Immediately update your device to the latest firmware version.
  2. Disable Remote Access: If updates cannot be applied right away, temporarily disable remote access to your device until the firmware is patched.
  3. Review Best Practices: Familiarize yourself with general cybersecurity guidelines.
  4. Change Admin Passwords: Users are urged to change their admin passwords as an additional security measure.

Despite the availability of patches, some institutions reported Helldown infections even after updating their firmware. This suggests that updating alone may not be sufficient to prevent compromise, as attackers can potentially use previously created accounts to maintain access.

Security experts strongly urged organizations using Zyxel firewalls to take immediate action to protect their networks from potential compromise and cyberattacks.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar