The popular manufacturer of network devices Zyxel has released a security advisory stating that cybercriminals are carrying out attacks on its firewalls and VPNs, with the aim of breaking through the security of the computers and trying to penetrate the company’s local network. The company has indicated that the target devices have remote management enabled via SSL / TLS and also VPN enabled. Do you want to know all the Zyzel devices that are attacking in order to protect yourself?
Zyxel teams affected by these attacks
The Zyzel computers that are being attacked by cyber criminals are those of the USG / ZyWALL series, USG FLEX, ATP and also all those that incorporate VPNs that use the ZLD firmware. In the email that Zyzel has sent it has been indicated that the attacks target devices that are exposed to the Internet, logically, all these devices such as firewall or VPN are always exposed to the Internet to protect the internal network from external attacks.
This type of device is the “gateway” to access the internal network after authentication against the VPN server or servers that we have configured, in this way, a remote user can access the internal network of the company if it connects via VPN to the Zyxel firewall. A good security practice is only to expose the VPN port to the Internet, so that only incoming connections are previously authenticated with a username / password or directly with a digital certificate. In this type of device it is very important never to expose the administration web port, because it could be vulnerable to XSS attacks or the like.
How the Zyxel teams are attacking
Attackers are trying to bypass computer authentication and establish SSL VPN tunnels with unknown user accounts, for example using accounts like “zyxel_silvpn”, “zyxel_ts” or “zyxel_vpn_test” to manipulate device settings. Zyxel is investigating these attacks to determine if it is due to an already known and unresolved vulnerability, or, however, it is due to a new vulnerability that was not known until now. The manufacturer does not know at the moment how many clients are affected, because it seems that only clients with the publicly accessible administration website are affected. They also don’t know to this day if they can successfully compromise customer devices or are just trying to do so anyway.
Zyxel is currently developing a firmware update with all security practices in order to improve the security of administration via the web, with the aim of reducing the attack surface.
Zyxel Safety Recommendations
The manufacturer has released a series of basic recommendations to protect your devices as best as possible, however, these recommendations are also valid for any equipment with similar characteristics. The generic tips are to configure the devices with the lowest possible privileges, patch the devices with the latest firmware versions, use two-factor authentication whenever possible, and also be very careful about phishing attacks within the professional local network.
Of course, it is essential to expose the minimum number of ports possible, for example, if remote access is not needed, then we should not have any open ports and have a policy of denying any communication. In recent times, with ransomware attacks on a multitude of devices, firewalls and the ability to remotely access local resources via VPN, cybercriminals are now specifically targeting these types of devices that are normally placed on the perimeter of the network to protect the internal network from unsolicited traffic. We must remember that in recent years there have been multiple vulnerabilities in Fortigate SSL VPN, Pulse Secure SSL VPN and others like SonicWall.
