Zyxel says a threat actor is targeting its enterprise firewall and VPN devices

Networking equipment vendor Zyxel has emailed customers this week to alert them about a series of attacks that have been targeting some of the company's high-end enterprise-focused firewall and VPN server products.

"We recently became aware of a sophisticated threat actor targeting a small subset of Zyxel security appliances that have remote management or SSL VPN enabled," the company said in an email seen by The Record.

Per Zyxel, the attacks have targeted the USG, ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware. All are multi-purpose networking devices the company advertises to enterprise customers as systems with VPN, firewall, and load balancing capabilities.

"We're aware of the situation and have been working our best to investigate and resolve it," Zyxel said.

Per information shared by the vendor, the attacks appear to follow the below pattern:

The threat actor attempts to access a device through WAN; if successful, they then bypass authentication and establish SSL VPN tunnels with unknown user accounts, such as"zyxel_slIvpn", "zyxel_ts", or "zyxel_vpn_test", to manipulate the device's configuration.

Zyxel spokespersons in the US and UK have not returned a request for comment seeking additional details.

At the time of writing, it is unclear if the attacker is exploiting an old vulnerability to go after unpatched devices or if they are using a never-before-seen bug—known in cyber-security circles as a "zero-day."

It is also unclear if the attacks have already resulted in security breaches at some of Zyxel's customers or if the vendor caught the attack in the early stages via honeytraps, and is now warning clients in advance about a potentially larger wave of incoming attacks.

Nevertheless, the vendor seems to believe that the attacks can be mitigated.

Based on our investigation so far, we believe maintaining a proper security policy for remote access is currently the most effective way to reduce the attack surface; therefore, we strongly recommend that you follow the guidance and the SOP below: 

1. Unless you must manage devices from the WAN side, disable HTTP/HTTPS services from WAN.
2. If you still need to manage devices from the WAN side:
     • enable Policy Control and add rules to only allow access from trusted source IP addresses; and
     • enable GeolP filtering to only allow access from trusted locations.

Over the past two years, attacks against firewalls, VPN servers, and load balancers like the ones spotted by Zyxel today have been common. They have been carried out by both cyber-espionage and financially-motivated groups, which usually gain access to these devices sitting on a company's edge network and use them to pivot to internal networks.

Some of the e-crimes groups have often rented access to this type of systems to ransomware gangs as an entry point for larger and more destructive attacks.

Vendors that had enterprise firewalls and VPNs abused this way in the previous years include Pulse Secure, Palo Alto Network, Fortinet, Citrix, Cisco, Sonicwall, Sophos, and F5 Networks.

Updated on August 11 to add that ZyXEL has released patches to address this attack, including a fix for the zero-day vulnerability, which also received the CVE-2021-35029 identifier.