Zyxel teams affected by these attacks
The Zyzel computers that are being attacked by cyber criminals are those of the USG / ZyWALL series, USG FLEX, ATP and also all those that incorporate VPNs that use the ZLD firmware. In the email sent by Zyzel it has been indicated that the attacks target devices that are exposed to the Internet, logically, all these devices such as firewall or VPN are always exposed to the Internet to protect the internal network from external attacks.
This type of device is the “gateway” to access the internal network after authentication against the server or the VPN servers that we have configured, in this way, a remote user will be able to access the internal network of the company if they connect via VPN to the Zyxel firewall. A good security practice is to only expose the VPN port to the Internet, so that only incoming connections are previously authenticated with a username / password or directly with a digital certificate. In this type of device it is very important never to expose the administration web port, because it could be vulnerable to XSS or similar attacks.
How the Zyxel teams are attacking
Attackers are trying to bypass computer authentication and establish SSL VPN tunnels with unknown user accounts, for example using accounts such as “zyxel_silvpn”, “zyxel_ts” or “zyxel_vpn_test” to manipulate device settings. Zyxel is investigating these attacks to determine if it is due to an already known and unresolved vulnerability, or, however, it is due to a new vulnerability that was not known until now. The manufacturer does not know at the moment how many clients are affected, because it seems that only clients with the publicly accessible administration website are affected. However, they also do not know to this day if they can successfully compromise customer devices or are just trying to do so.
Zyxel is currently developing a firmware update with all security practices in order to improve the security of administration via the web, with the aim of reducing the attack surface.
Zyxel Safety Recommendations
The manufacturer has launched a series of basic recommendations to protect your devices as best as possible, however, these recommendations are also valid for any equipment with similar characteristics. Generic tips are to configure the devices with the lowest possible privileges, patch the devices with the latest firmware versions, use two-factor authentication whenever possible, and also be very careful about phishing attacks within the professional local network.
Of course, it is essential to expose the minimum number of ports possible, for example, if remote access is not needed, then we should not have any open ports and have a policy of denying any communication. In recent times, with ransomware attacks on a multitude of devices, firewalls and the ability to remotely access local resources via VPN, cybercriminals are now specifically targeting these types of devices that are normally placed on the perimeter of the network to protect the internal network from unsolicited traffic. We must remember that in recent years there have been multiple vulnerabilities in Fortigate SSL VPN, Pulse Secure SSL VPN and others like SonicWall.