Friday, October 15, 2021

Backdoor accounts found in More than 100,000 Zyxel firewalls, VPN gateways

Must Read

Twitter hires hacker ‘Mudge’ as its head of security

Twitter has been facing cybersecurity-related concerns lately. To that end, the social media giant has appointed one of the...

Kaseya releases patches for flaws exploited in the REvil ransomware attack

Kaseya Florida-based software vendor On Sunday rolled out a security update for the VSA zero-day vulnerabilities exploited by the...

GitHub fixes high Seriousness’ security flaw Seen by Google

Fourteen days after Google revealed a security defect in GitHub, the Microsoft-owned website has fixed the matter.GitHub has fixed...

Dutch cybersecurity researchers have discovered a backdoor account in 100,000 networking devices manufactured by Zyxel, which may grant hackers accessibility to all those vulnerable devices and put data at risk.

The password and username (zyfwp/PrOw! AN_fXp) was observable in one of those Zyxel firmware binaries.

Over 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices through the SSH interface or the online management panel.

Dutch cybersecurity scientists have discovered backdoor accounts in over 1 lakh media devices fabricated by Taiwan-based firm Zyxel, that can grant hackers accessibility to those vulnerable devices and put data at risk.

The backdoor account, found by a group of Dutch safety researchers from Eye Control, is thought to be bad as it has in terms of vulnerabilities.

Device owners are advised to upgrade systems as soon as time permits.

Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse these backdoor accounts to access vulnerable devices and creep to internal systems for further attacks.

Affected models include several of Zyxel’s best products from its line of business-grade devices, usually deployed across the personal business and government networks.

A number of these devices are used at the edge of a company’s system and, once endangered, allow attackers to pivot and launch further attacks against internal hosts.

Patches are now available only for the ATP, USG, USG Flex, and VPN series. Patches for its NXC series are expected in April 2021, according to a Zyxel safety aide.

Backdoor accounts were easy to Found

Installing patches removes the accounts, which, according to Eye Control researchers, uses the”zyfwp” username and the”PrOw!aN_fXp” password.

“The plaintext password has been observable in one of the binaries on the system,” that the Dutch investigators said in a report printed before the Christmas 2020 holiday.

Researchers said the accounts had root access to this device because it had been used to install firmware updates to other interconnected Zyxel apparatus via FTP.

In a meeting this week, IoT safety researcher Ankit Anubhav stated that Zyxel should have learned its lesson from a prior incident that happened in 2016.

“It was surprising to see yet another hardcoded credential especially since Zyxel is well aware that the last time that occurred, it had been abused by numerous botnets,” Anubhav told.

“CVE-2016-10401 is still at the arsenal of the majority of password assault established IoT botnets,” the researcher said.

But this time things are worse with CVE-2020-29583, the CVE identifier for the 2020 backdoor account.

Anubhav told that whereas the 2016 backdoor mechanism demanded that attackers first have access to some low-privileged accounts on a Zyxel apparatus — so that they could elevate it to root, the 2020 backdoor is worse as it could grant attackers direct entry to the device without any specific problems.

“Also, unlike the previous tap, which has been utilized in Telnet just, this needs even lesser experience as one can directly try the credentials to the panel hosted port 443,” Anubhav explained.

What’s more, Anubhav additionally points out that the majority of those affected systems are also very varied, compared to the 2016 backdoor difficulty, which just influenced house routers.

Attackers have access to a larger spectrum of sufferers, most of which are corporate goals, as the vulnerable devices are primarily marketed to businesses as a way to control who can access intranets and internal networks from remote locations.

This is a big deal in the bigger picture since vulnerabilities in firewalls and VPN gateways are one of the key resources of ransomware attacks and cyber-espionage surgeries in 2019 and 2020.

Security flaws in Pulse Secure, Fortinet, Citrix, MobileIron, and Cisco devices have often been manipulated to attack businesses and government networks.

The new Zyxel backdoor could expose a completely new set of organizations and government agencies to the same type of attacks that we have seen over a previous couple of years.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This