Security incidents are events indicating that a company’s systems or data have been compromised or that security measures put in place have failed. While a security event is anything that significantly impacts system hardware or software, a security incident is an event that deranges normal business operations.
Zyxel Networks recently announced the discovery of a complex cyber threat that targets Zyxel security devices. The threat typically targets gargets with remote management systems or SSL VPNs supporting USG/ZyWALL, ATP, and USG FLEX. Additionally, it attempts to access user devices through WAN networks, and if successful, they bypass authentication and create SSL VPN tunnels. The cyber attackers typically use unknown user accounts, like “zyxel_sllvpn”, “zyxel_vpn_test”, or “zyxel_ts,” to manipulate your gadget’s configuration.
According to the Zyxel Networks support team, the networking device manufacturer took action immediately after discovering the incident. Based on their investigations so far, the company believes that the most effective way to defend against the threat actor is to maintain a proper security policy for remote access. Therefore, the tech company has released an SOP that guides clients in the right way to set up their remote access policies. They are also working on a hotfix with additional countermeasures to mitigate similar threats.
The affected products include VPN, ATP, USG, ZyWALL, and USG FLEX Series in On-Premise Mode, while the affected Firmware Version is the FCS /date codes /weekly version.
Here are some behaviors that potentially indicate that your device is impacted:
A single or multiple configuration changes will show up if your device is affected. They include:
1: Unknown Admin Accounts Created
[Configuration -> Object -> User / Group setting]
How to Fix the Issue: Delete all unknown User and Admin accounts
Typically, the User / Admin creation is at the bottom (the last item in the list). A few examples could be sslvpn_index, zyxel_sllvpn, zyxel_ts, etc.
2: Unknown Policy Route created
[Configuration -> Routing -> Policy Route]
How To Fix the Issue: Delete Policy Route 1 if the conditions are matching.
Usually, the Policy Route screen shows at position 1 in the unknown Policy Route. An example could be LAN1>>-Subnet >>-to any >> -Next-Hop >> -AUTO or LAN1>>-Subnet >> -to any >> -Next-Hop >> then VPN Tunnel.
3: Unknown Firewall Rule/Secure Policy Established
[Configuration >> then Secure Policy]
How to Fix the Issue: Delete the firewall rule that shows “loseang” in the description.
In most cases, a newly created firewall rule appears with the description “loseang” and “WAN to ZyWALL.”
4: Unrecognized SSL VPN Setting
[Configuration >> then SSL VPN]
How to Fix the Issue: Delete the “SSL VPN” setting group or user
A user named “zyxel_ts,” “sslvpn_index,” “zyxel_vpn_test,” or “zyxel_sllvpn” is usually created and assigned the name of SSL VPN setting.
If you identify any of the above points in your device, the first step is to repair your device by taking any of the following actions based on the specific configuration.
Next, you need to inform Zyxel Support about your compromised devices and protect your device with Zyxel’s recommended changes, such as reviewing firewall configuration, changing ports, changing passwords, and setting up two-factor authentication.
With this mandatory configuration, only Source IP is allowed and permitted to ZyWALL Zone Setup Assistance. You can protect this using your country’s GEO IP feature via your location Setup Assistance. In addition, be sure to set up all other non-trusted connections via WAN to ZyWALL and set up a “deny” rule.
Modify the firewall first to avoid blocking yourself from your account. If you use self-connect through SSL VPN, the system will reconnect you automatically. Consider changing the HTTPS port to a different port or the SSL VPN port to a different port that doesn’t overlap with your HTTPS GUI Port.
Password Changes & 2-Factor Authentication
Changing your admin password is a mandatory measure following any security breach. You also need to configure a 2-factor login to add an extra layer of protection from unauthorized login.
Today’s expanding threat landscape puts businesses across the globe at more risk of cyber-attacks than ever before. Your enterprise must constantly monitor its threat landscape and put in place measures to respond quickly to security incidents, cyber threats, and data breaches when they occur. Establishing a well-defined incident response plan will enable your organization to effectively identify security incidents, minimize the impact, and reduce the cost of a cyber-attack.
Does your network depend on Zyxel routers or VPN devices? The networking device manufacturer has announced widespread exploitation of its routers and VPN devices. If your organization uses Zyxel Unified Security Gateway (USG) with ZyWALL or USG FLEX with firewall and VPN, you’re a potential target. The attackers are utilizing hardcoded accounts to gain access to these devices remotely. Zyxel suggests that your firewalls may be affected if users encounter problems accessing the VPN, traffic, routing, or login. Other symptoms of a compromised device include password problems and unknown configuration parameters.
If you suspect that the latest sophisticated threats have compromised your Zyxel network devices, SemTech IT Solutions can help. Our skilled IT specialists can troubleshoot your network, delete all unknown admin and user accounts created by the attackers, and delete any unknown firewall rules and routing policies.
At SemTech IT Solutions, we provide quality managed IT services for organizations throughout Central Florida. With a single stable monthly payment, we provide all of the technology support your business needs to streamline its internal processes. Let SemTech be your ultimate IT partner for all your technology needs, including support for third-party solutions such as Zyxel USG/ZyWALL, ATP, USG FLEX, and VPN series. Contact us today to schedule a consultation!