Zyxel Firewalls Vulnerability Targeted by Helldown Ransomware
Published on November 29, 2024
- The Zyxel CVE-2024-11667 flaw is actively exploited by the Helldown ransomware group.
- Threat actors can go around security measures via crafted URLs that help upload or download files.
- The flaw exposes environments to unauthorized system intrusion, credential theft, and the establishment of backdoor VPN connections.
Attackers leverage a critical vulnerability in Zyxel firewalls to deploy the Helldown ransomware. The serious directory traversal flaw in Zyxel’s ZLD firmware that allows threat actors to bypass security measures by crafting malicious URLs to upload or download files is tracked as CVE-2024-11667.
This access opens pathways for unauthorized system intrusion, credential theft, and the establishment of backdoor VPN connections, often leaving system administrators unaware of the breach.
German CERT (CERT-Bund) and Zyxel have issued urgent warnings regarding the attacks, urging organizations to take immediate action to secure their network appliances. The vulnerability in question affects the Zyxel ATP and USG FLEX firewall series running ZLD firmware versions 4.32 to 5.38.
Devices running firmware versions between 4.32 and 5.38 are especially vulnerable, especially if remote management or SSL VPN features are enabled. Fortunately, Zyxel devices managed via Nebula cloud services are not impacted by this flaw.
Helldown ransomware, first detected in August 2024, has emerged as a significant threat in this wave of cyberattacks. Built upon the notorious LockBit ransomware builder, Helldown is engineered for sophisticated infiltration, lateral movement across networks, and the encryption of critical organizational data.
According to CERT-Bund, Helldown’s leak site has so far listed 32 victims globally, including five reported entities in Germany. Attackers leveraging CVE-2024-11667 gain initial access, exploiting weak administrator passwords or unpatched firmware.
The ransomware then escalates its attack through advanced tactics, such as unauthorized account creation, to maintain persistence within compromised systems.
Signs of infection include unusual VPN connections originating from newly created accounts like “SUPPORT87” or “VPN” and altered firewall rules, allowing unrestricted connectivity between WAN, LAN, and SSL VPN zones or unauthorized NAT rules granting external access.
Unauthorized admin accounts or unexplained administrative logins often linked to unfamiliar IP addresses and Active Directory intrusions via stolen credentials to encrypt or exfiltrate sensitive internal data are also potential indicators of compromise.
In other news, DEEPDATA malware was seen abusing a critical FortiClient for Windows vulnerability to exfiltrate VPN credentials from compromised environments.
Related
Most Popular
Most Popular