Ransomware Targets Zyxel Firewalls Through Recent Vulnerability

Cybercriminals are ramping up attacks on Zyxel firewalls, exploiting a critical vulnerability to gain access and deploy ransomware. This flaw, CVE-2024-42057, has allowed the Helldown ransomware group to compromise several organizations in Europe and beyond.

How the Attack Unfolded

The attackers exploited a command injection vulnerability in Zyxel devices, which enables unauthorized OS command execution. Key highlights include:

  • Targeted Devices: Devices running firmware versions 4.32 to 5.38, especially those using User-Based-PSK authentication mode with long usernames.
  • Rogue Accounts: Attackers created accounts like OKSDW82A to gain access via SSL VPN tunnels.
  • Ransomware Tactics: Typical techniques, including data encryption and ransom demands.

Who’s Behind the Attack?

The Helldown ransomware group, known for financial motivations, has been identified as the culprit. They claimed 31 victims between August and October, including Zyxel’s European subsidiary.

Techniques Used by the Attackers

  1. Exploiting Known Vulnerabilities: Leveraged CVE-2024-42057 to infiltrate networks.
  2. Post-Compromise Activity: Created rogue user accounts and escalated privileges.
  3. Targeted Firmware Versions: Focused on unpatched devices below firmware version 5.39.

Zyxel’s Response

Zyxel issued a fresh advisory urging users to upgrade to firmware version 5.39. According to Zyxel:

“The reported issues are not reproducible on firmware version 5.39.”

To mitigate the risk, they recommend:

  • Immediate Updates: Upgrade all affected devices.
  • Disabling Remote Access: Temporarily disable remote access for unpatched devices.
  • Changing Passwords: Update all administrator and user account passwords.

What’s at Stake?

  • Network Security: Vulnerable firewalls can expose entire systems to ransomware.
  • Financial Losses: Victims may face ransom payments and recovery costs.
  • Data Breaches: Compromised accounts could lead to further exploitation.

How to Protect Your Organization

  1. Update Firmware: Ensure all devices are running the latest version (5.39 or higher).
  2. Strengthen Passwords: Use strong, unique passwords for all accounts.
  3. Disable Unnecessary Access: Restrict remote access until updates are complete.
  4. Monitor for Rogue Accounts: Check for unauthorized users and unusual activity.
  5. Enable Multi-Factor Authentication (MFA): Add an extra layer of protection.

Stay Ahead of the Threats

This attack highlights the importance of proactive patch management and strong network security measures. Keeping devices updated and monitoring for vulnerabilities can prevent similar breaches.

TALK TO AN EXPERT

Contact us today to guide you how to protect your organization and achieve cyber resilience.

TALK TO AN EXPERT

Contact us today to guide you how to protect your organization and achieve cyber resilience.

Source:

RECENT POSTS

SIGN UP

Subscribe for the industry news, in-depth blog posts, and Odyssey-exclusive updates directly in your inbox.