Hackers are trying to exploit a recently discovered backdoor built into multiple Zyxel device models that hundreds of thousands of individuals and businesses use as VPNs, firewalls, and wireless access points.
The backdoor takes the form of an undocumented user account with full administrator privileges that is hard-coded into the device firmware, a researcher from Netherlands-based security firm Eye Control recently reported. The account, which uses the username zyfwp, can be accessed via SSH or via a web interface.
A serious vulnerability
The researcher warned that users are at significant risk from the account, especially if it is used to exploit other vulnerabilities, such as Zerologon, a critical Windows flaw that could instantly allow attackers to become all-powerful network administrators.
“Because the zyfwp user has administrator rights, this is a serious vulnerability,” Eye Control researcher Niels Teusink wrote. “An attacker could completely compromise the confidentiality, integrity, and availability of the device. For example, someone could change the firewall settings to allow or block certain traffic. They can also intercept traffic or create VPN accounts to access the network behind the device. Combined with a vulnerability like Zerologon, this could be devastating for small and medium businesses.”
Andrew Morris, founder and CEO of security firm GreyNoise, said Monday that his company’s sensors have detected automated attacks that use the account credentials to log into vulnerable devices. In most or all login attempts, the attackers simply added the credentials to existing lists of default username/password combinations used to hack into unsecured routers and other types of devices.
“By definition, anything we see has to be opportunistic,” Morris said, implying that the attackers use the credentials in a pseudorandom manner against IP addresses in the hopes of finding connected devices prone to takeover. GreyNoise deploys collection sensors in hundreds of data centers around the world to monitor Internet-wide scanning and exploitation attempts.
The login attempts GreyNoise sees happen over SSH connections, but Eye Control researcher Teusink said the undocumented account can also be accessed through a web interface. The researcher said a recent scan revealed that more than 100,000 Zyxel devices exposed the web interface to the Internet.
Teusink said the backdoor appears to have been introduced in firmware version 4.60 patch 0, which was released a few weeks ago. A scan of Zyxel devices in the Netherlands showed that about 10 percent of them were running that vulnerable version. Zyxel has issued a security advisory that lists the specific device models that are affected. They contain:
- ATP series with firmware ZLD V4.60
- USG series with firmware ZLD V4.60 ZLD
- USG FLEX series with firmware ZLD V4.60
- VPN series with firmware ZLD V4.60
- NXC2500 with firmware V6.00 through V6.10
- NXC5500 with firmware V6.00 through V6.10
A fix is already available for firewall models. AP controllers are scheduled to receive a fix on Friday. Zyxel said it designed the backdoor to provide automatic firmware updates to connected access points via FTP.
People using any of these affected devices should be sure to install a security solution as soon as it becomes available. Even when devices are running a version older than 4.6, users should still install the update as it fixes individual vulnerabilities found in previous releases. Disabling remote management is also a good idea, unless there is a good reason to allow it.
Post updated to correct version number.