Hackers use unknown user accounts to attack Zyxel firewalls and VPNs

Get a free Techzine subscription!

Network device manufacturer Zyxel, is warning customers of active and ongoing attacks targetted at a range of the company’s firewalls and other types of security devices. In an email, the company said that the targeted devices include appliances fitted with remote management or are SSL VPN enabled.

Specifically, they are in the USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware. The email is succinct but appears to confirm that the attacks target devices that are internet-facing/connected. When the attackers gain access to the device, they can connect to previously unknown accounts hardwired into it.

How it happens

The email, which was shared on Twitter, said that the company is aware of the situation and is doing its best to investigate and find a resolution.

It continued to explain how the attacks happen, saying that once the hackers gain access to a device through WAN successfully, they can bypass authentication and create SSL VPN tunnels with unknown user accounts like /zyxel_vpn_test/, /zyxel_ts/, and /zyxel_silvpn/, to then manipulate configurations on the device. It is still unclear whether the weaknesses under attack are novel or were known.

When security devices compromise the security

Zyxel officials wrote that reports about the attacks first came from users in Europe, at which point the company says it became aware of a sophisticated threat actor trying to access a subset of its devices. The number of affected customers is not known at this time because it seems that the devices attacked had their web management publicly accessible and are not locked down. This story only goes to show that security appliances themselves can make a network less secure if they are misconfigured, set up shoddily, or are easily accessible.