Zyxel VPN security flaw targeted by new ransomware attackers

Ransomware

  • Researchers spot Helldown exploiting Zyxel VPN to breach networks
  • The flaw was previously undisclosed
  • The crooks mostly target SMBs in the US and Europe

There appears to be a new ransomware player in town, exploiting vulnerabilities in Zyxel firewalls and IPSec access points to compromise victims, steal their data, and encrypt their systems.

The group is called Helldown, and has been active since summer 2023, a new report from cybersecurity researchers has revealed Sekoia, noting the group most likely uses a previously undisclosed vulnerability in Zyxel’s firewalls for initial access.

Furthermore, the group seems to be exploiting CVE-2024-42057, a command injection bug in IPSec VPN that, in certain scenarios, grants unauthenticated users the ability to run OS commands.

Dozens of victims

When they breach a target network, they steal as many files as they can, and encrypt the system. For encryption, they seem to be using a piece of software developed from the leaked LockBit 3 builder. The researchers said the encryptor was relatively basic, but also probably still under development.

As basic as it is, the encryptor still locked down at least 31 organizations, as that’s the number of victims listed on the group’s data leak site. According to BleepingComputer, between November 7 and today, the number dropped to 28, which could be a hint that some organizations paid the ransom demand. We don’t know who the victims are, or how much money the crooks demanded in return for the decryption key and for keeping the data secure.

Most of the victims seem to be small and medium-sized organizations in the United States and Europe.

If the researchers are indeed right, and Helldown does use flaws in Zyxel and IPSec instances to breach the networks, the best way to defend would be to keep these devices up to date, and limit access to trusted accounts only. CVE-2024-42057 that plagues IPSec was fixed on September 3, and the earliest clean firmware version is 5.39. For Zyxel, since the vulnerability is still undisclosed, it would be wise to keep an eye on upcoming advisories and deploy the patch as soon as it’s published.

Via BleepingComputer

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.