Dutch cybersecurity researchers have discovered a backdoor account in 100,000 networking devices manufactured by Zyxel, which may grant hackers accessibility to all those vulnerable devices and put data at risk.
The password and username (zyfwp/PrOw! AN_fXp) was observable in one of those Zyxel firmware binaries.
Over 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices through the SSH interface or the online management panel.
Dutch cybersecurity scientists have discovered backdoor accounts in over 1 lakh media devices fabricated by Taiwan-based firm Zyxel, that can grant hackers accessibility to those vulnerable devices and put data at risk.
The backdoor account, found by a group of Dutch safety researchers from Eye Control, is thought to be bad as it has in terms of vulnerabilities.
Device owners are advised to upgrade systems as soon as time permits.
Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse these backdoor accounts to access vulnerable devices and creep to internal systems for further attacks.
Affected models include several of Zyxel’s best products from its line of business-grade devices, usually deployed across the personal business and government networks.
A number of these devices are used at the edge of a company’s system and, once endangered, allow attackers to pivot and launch further attacks against internal hosts.
Patches are now available only for the ATP, USG, USG Flex, and VPN series. Patches for its NXC series are expected in April 2021, according to a Zyxel safety aide.
Backdoor accounts were easy to Found
Installing patches removes the accounts, which, according to Eye Control researchers, uses the”zyfwp” username and the”PrOw!aN_fXp” password.
“The plaintext password has been observable in one of the binaries on the system,” that the Dutch investigators said in a report printed before the Christmas 2020 holiday.
Researchers said the accounts had root access to this device because it had been used to install firmware updates to other interconnected Zyxel apparatus via FTP.
In a meeting this week, IoT safety researcher Ankit Anubhav stated that Zyxel should have learned its lesson from a prior incident that happened in 2016.
“It was surprising to see yet another hardcoded credential especially since Zyxel is well aware that the last time that occurred, it had been abused by numerous botnets,” Anubhav told.
“CVE-2016-10401 is still at the arsenal of the majority of password assault established IoT botnets,” the researcher said.
But this time things are worse with CVE-2020-29583, the CVE identifier for the 2020 backdoor account.
Anubhav told that whereas the 2016 backdoor mechanism demanded that attackers first have access to some low-privileged accounts on a Zyxel apparatus — so that they could elevate it to root, the 2020 backdoor is worse as it could grant attackers direct entry to the device without any specific problems.
“Also, unlike the previous tap, which has been utilized in Telnet just, this needs even lesser experience as one can directly try the credentials to the panel hosted port 443,” Anubhav explained.
What’s more, Anubhav additionally points out that the majority of those affected systems are also very varied, compared to the 2016 backdoor difficulty, which just influenced house routers.
Attackers have access to a larger spectrum of sufferers, most of which are corporate goals, as the vulnerable devices are primarily marketed to businesses as a way to control who can access intranets and internal networks from remote locations.
This is a big deal in the bigger picture since vulnerabilities in firewalls and VPN gateways are one of the key resources of ransomware attacks and cyber-espionage surgeries in 2019 and 2020.
Security flaws in Pulse Secure, Fortinet, Citrix, MobileIron, and Cisco devices have often been manipulated to attack businesses and government networks.
The new Zyxel backdoor could expose a completely new set of organizations and government agencies to the same type of attacks that we have seen over a previous couple of years.