Cybercriminals Ramp Up Exploits Against Serious Zyxel Flaw

Zyxel hardcoded passcode vulnerability

More than 100,000 Zyxel networking products could be vulnerable to a hardcoded credential vulnerability (CVE-2020-29583) potentially allowing cybercriminal device takeover.

Security experts are warning hackers are ramping up attempts to exploit a high-severity vulnerability that may still reside in over 100,000 Zyxel Communications products.

Zyxel, a Taiwanese manufacturer of networking devices, on Dec. 23 warned of the flaw in its firmware (CVE-2020-29583) and released patches to address the issue. Zyxel devices are generally utilized by small businesses as firewalls and VPN gateways.

Fast forward to this week, several security researchers have spotted “opportunistic exploitation” of Zyxel devices that have not yet received updates addressing the vulnerability.

2020 Reader Survey: Share Your Feedback to Help Us Improve

“Likely due to the holidays, and maybe because [Niels Teusink, who discovered the flaw] did not initially publish the actual password, widespread exploitation via ssh has not started until now,” said Johannes Ullrich, of the SANS Internet Storm Center (ISC), in a Wednesday analysis. “But we are [now] seeing attempts to access our ssh honeypots via these default credentials.”

Ullrich said the scans started on Monday afternoon stemming from one IP (185.153.196.230), and more scans from other IPs (5.8.16.167, 45.155.205.86) joined throughout this week.

“The initial IPs scanning for this are all geo-locating back to Russia,” Ullrich told Threatpost. “But other than that, they are not specifically significant. Some of these IPs have been involved in similar internet wide scans for vulnerabilities before so they are likely part of some criminal’s infrastructure.”

Exploit attempts on a honeypot observed by SANS ISC. Credit: SANS ISC

Separately, researchers with GreyNoise said on Twitter, on Monday, they observed a slew of “opportunistic exploitation of the newly discovered Zyxel USG SSH Backdoor and crawling of SOHO Routers.”

The vulnerability stems from Zyxel devices containing an undocumented account (called zyfwp) that has an unchangeable password – which can be found in cleartext in the firmware, according to Niels Teusink at EYE, who discovered the flaw and published his analysis in tandem with Zyxel’s December advisory.

The flaw, which had a CVSS Score of 7.8 out of 10 (making it high severity), could be exploited by attackers to log in with administrative privileges – and ultimately take over affected devices.

From an attacker perspective, this would give cybercriminals the ability to adjust firewall rules, run malicious code on devices, or launch machine-in-the-middle attacks, Ullrich told Threatpost.

“This can easily be leveraged to compromise workstations protected by the firewall,” he said. “The only limit is the creativity of the attacker.”

The number of current devices open to attack cannot by specifically pinpointed, however, according to Teusink, globally more than 100,000 Zyxel devices have exposed their web interface to the internet.

Furthermore, “in our experience, most users of these devices will not update the firmware very often,” said Teusink. “Zyxel devices do not expose their firmware version to unauthenticated users, so determining if a device is vulnerable is a bit more difficult.”

Teusink did not reveal the unchangeable password in his analysis – however, it didn’t take long for the hardcoded credentials to be distributed publicly on Twitter.

Affected Zyxel devices include its ATP firewall series, Unified Security Gateway (USG) series and VPN series, a patch for which became available in December 2020. Also affected is the NXC2500 and NXC 5500, which are two devices that are part of Zyxel’s lineup of wireless LAN controllers, which will not receive a patch until Jan. 8, 2021.

Patch details. Credit: Zyxel

Ullrich told Threatpost that patching firewalls and gateways is always “tricky,” especially if the patching must be done remotely. And, another issue is that “due to the holidays, the initial announcement by Zyxel was also somewhat overlooked,” he noted.

Security experts’ advice for potentially affected users? “Update now,” emphasized Ullrich.

He said consumers or businesses using any kind of firewall, gateway or router, regardless of the vendor should limit the administrative interface exposure.

“Avoid exposing web-based admin interfaces,” said Ullrich. “Secure ssh access best you can (public keys…). In the case of a hidden admin account, these measures will likely not help, but see if you can disable password authentication. Of course, sometimes, vendors choose to hide ssh keys instead of passwords.”

CVE-2020-29583 is only the latest security issue to plague Zyxel.

In March 2020, researchers warned that Zyxel’s Cloud CNM SecuManager software  contained 16 unpatched vulnerabilities that could kick open the doors for hackers to exploit. That same month, the Mirai botnet was discovered attacking Zyxel network-attached storage (NAS) devices using a critical vulnerability in the devices. And in April 2020, the Hoaxcalls botnet was found spreading via an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager.

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2 p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.

Suggested articles