Friday, July 23, 2021

Backdoor accounts found in More than 100,000 Zyxel firewalls, VPN gateways

Must Read

Firefox ‘network partitioning’ as a new anti-tracking defense system roll out in Jan 2021

Firefox's "network partitioning" feature will roll out in v85, which is scheduled for January 2021. Firefox 85, scheduled to be...

What is a Cyber Attack

A Cyberattack is an attack against a computer system, network infrastructure, and personal system using one or more computers...

Hacktivists target many Sri Lankan domains, including

A group of Hacktivists poisoned the DNS records of several Sri Lankans (.lk) websites on Saturday and redirected users...

Dutch cybersecurity researchers have discovered a backdoor account in 100,000 networking devices manufactured by Zyxel, which may grant hackers accessibility to all those vulnerable devices and put data at risk.

The password and username (zyfwp/PrOw! AN_fXp) was observable in one of those Zyxel firmware binaries.

Over 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices through the SSH interface or the online management panel.

Dutch cybersecurity scientists have discovered backdoor accounts in over 1 lakh media devices fabricated by Taiwan-based firm Zyxel, that can grant hackers accessibility to those vulnerable devices and put data at risk.

The backdoor account, found by a group of Dutch safety researchers from Eye Control, is thought to be bad as it has in terms of vulnerabilities.

Device owners are advised to upgrade systems as soon as time permits.

Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse these backdoor accounts to access vulnerable devices and creep to internal systems for further attacks.

Affected models include several of Zyxel’s best products from its line of business-grade devices, usually deployed across the personal business and government networks.

A number of these devices are used at the edge of a company’s system and, once endangered, allow attackers to pivot and launch further attacks against internal hosts.

Patches are now available only for the ATP, USG, USG Flex, and VPN series. Patches for its NXC series are expected in April 2021, according to a Zyxel safety aide.

Backdoor accounts were easy to Found

Installing patches removes the accounts, which, according to Eye Control researchers, uses the”zyfwp” username and the”PrOw!aN_fXp” password.

“The plaintext password has been observable in one of the binaries on the system,” that the Dutch investigators said in a report printed before the Christmas 2020 holiday.

Researchers said the accounts had root access to this device because it had been used to install firmware updates to other interconnected Zyxel apparatus via FTP.

In a meeting this week, IoT safety researcher Ankit Anubhav stated that Zyxel should have learned its lesson from a prior incident that happened in 2016.

“It was surprising to see yet another hardcoded credential especially since Zyxel is well aware that the last time that occurred, it had been abused by numerous botnets,” Anubhav told.

“CVE-2016-10401 is still at the arsenal of the majority of password assault established IoT botnets,” the researcher said.

But this time things are worse with CVE-2020-29583, the CVE identifier for the 2020 backdoor account.

Anubhav told that whereas the 2016 backdoor mechanism demanded that attackers first have access to some low-privileged accounts on a Zyxel apparatus — so that they could elevate it to root, the 2020 backdoor is worse as it could grant attackers direct entry to the device without any specific problems.

“Also, unlike the previous tap, which has been utilized in Telnet just, this needs even lesser experience as one can directly try the credentials to the panel hosted port 443,” Anubhav explained.

What’s more, Anubhav additionally points out that the majority of those affected systems are also very varied, compared to the 2016 backdoor difficulty, which just influenced house routers.

Attackers have access to a larger spectrum of sufferers, most of which are corporate goals, as the vulnerable devices are primarily marketed to businesses as a way to control who can access intranets and internal networks from remote locations.

This is a big deal in the bigger picture since vulnerabilities in firewalls and VPN gateways are one of the key resources of ransomware attacks and cyber-espionage surgeries in 2019 and 2020.

Security flaws in Pulse Secure, Fortinet, Citrix, MobileIron, and Cisco devices have often been manipulated to attack businesses and government networks.

The new Zyxel backdoor could expose a completely new set of organizations and government agencies to the same type of attacks that we have seen over a previous couple of years.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.


Please enter your comment!
Please enter your name here

Latest News

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered...

Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket. This happened...

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems. Cybersecurity researchers on...

Millions of HP, Samsung, Xerox Printers are Vulnerable to 16 year old bug

A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver...

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious...

More Articles Like This