Hackers are trying to take advantage of a recently discovered backdoor built into several Zyxel device models that hundreds of thousands of individuals and businesses use as VPNs, firewalls, and wireless access points.
The back door comes in the form of an undocumented user account with full administrator rights that is hard-coded in the device firmware, a researcher at the Dutch security company Eye Control recently reported. The account using the username zyfwp can be accessed either via SSH or via a web interface.
A serious security hole
The researcher warned that the account would put users at significant risk, especially if it were used to exploit other security flaws such as Zerologon, a critical Windows bug that allows attackers to become all-powerful network administrators instantly.
"Because the zyfwp user has administrator rights, this is a serious security vulnerability," wrote eye control researcher Niels Teusink. “An attacker could completely compromise the confidentiality, integrity and availability of the device. For example, someone could change the firewall settings to allow or block certain traffic. You can also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon, this could be devastating for small and medium-sized businesses. "
Andrew Morris, founder and CEO of security company GreyNoise, said Monday that his company's sensors have detected automated attacks that use the account's credentials to log into vulnerable devices. In most or all of the login attempts, the attackers simply added the credentials to existing lists of standard username and password combinations used for hacking into unsecured routers and other types of devices.
"By definition, everything we see has to be opportunistic," said Morris. This means that the attackers pseudorandomly use the IP address credentials to find connected devices that are susceptible to takeover. GreyNoise uses collection sensors in hundreds of data centers around the world to monitor internet-wide scan and exploitation attempts.
The login attempts GreyNoise sees are over SSH connections, but Eye Control researcher Teusink said the undocumented account can also be accessed through a web interface. The researcher said a recent scan found that more than 100,000 Zyxel devices exposed the web interface to the Internet.
Teusink said the back door appeared to have been introduced in firmware version 4.39, which was released a few weeks ago. A scan of Zyxel devices in the Netherlands found that around 10 percent of them are using this vulnerable version. Zyxel has issued a security advisory that lists the specific affected device models. They include:
- ATP series with firmware ZLD V4.60
- USG series with firmware ZLD V4.60 ZLD
- USG FLEX series with firmware ZLD V4.60
- VPN series with firmware ZLD V4.60
- NXC2500 with firmware V6.00 to V6.10
- NXC5500 with firmware V6.00 to V6.10
A fix is already available for firewall models. AP controllers should get a fix on Friday. Zyxel designed the back door to provide automatic firmware updates for connected access points via FTP.
Individuals using any of these affected devices should ensure that a security update is installed as soon as it becomes available. Even if devices are running a version earlier than 4.6, users should still install the update as it fixes separate vulnerabilities in earlier versions. Disabling remote administration is also a good idea, unless there's a good reason to allow it.