Zyxel Networks, a Taiwanese provider of networking equipment, has issued a critical alert regarding a series of attacks targeting select security appliances, specifically firewalls and VPN servers. This warning highlights a sophisticated threat actor employing targeted strategies against devices with remote management or SSL VPN functionalities enabled.
According to Zyxel, the affected equipment includes the USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware. The nature of the attacks suggests that these devices are exposed to the public internet, making them particularly vulnerable to unauthorized access.
The firm detailed that the threat actor gains initial access through the Wide Area Network (WAN). If successful, they bypass authentication measures and establish SSL VPN tunnels using obscure user accounts, including ‘zyxel_slIvpn,’ ‘zyxel_ts,’ or ‘zyxel_vpn_test.’ This enables malicious actors to manipulate the device’s configuration with potential repercussions for the networks they support, as stated in a communication shared on Twitter.
At this moment, it remains uncertain whether the attacks exploit existing vulnerabilities or leverage zero-day exploits to compromise these systems. The overall scope of the attack and the number of impacted users have yet to be determined, raising concerns among business owners about the potential risks to their cybersecurity posture.
To mitigate exposure, Zyxel recommends disabling HTTP/HTTPS services via the WAN interface and implementing geo-IP restrictions to permit remote access solely from trusted geographic locations. Such measures aim to limit the attack surface that these threat actors can exploit.
Earlier in the year, Zyxel addressed a critical vulnerability in its firmware related to a hard-coded user account, known as ‘zyfwp’ (CVE-2020-29583), which could be exploited by attackers for unauthorized administrative access, threatening the device’s integrity and availability. This incident echoes a wider trend where enterprise VPNs and networking devices have increasingly become targets for cybercriminals aiming to infiltrate corporate networks for espionage or financial gain.
In this instance, adversary tactics potentially align with the MITRE ATT&CK framework’s categories of Initial Access, Lateral Movement, and Persistence. The threat actor’s ability to bypass authentication suggests techniques associated with Credential Dumping and Exploit Public-Facing Applications, underscoring the imperative for robust security measures among businesses reliant on such devices.
