The EntroLink VPN appliances are being abused by multiple ransomware gangs after an exploit was released on an underground cybercrime forum in September 2021.
The zero-day vulnerability is believed to affect EntroLink PPX-AnyLink devices, which are used by many South Korean companies to enable employees to remotely access their networks and internal resources.
A month before the holiday season began, an administrator of a newly-launched cybercrime forum released for free an exploit targeting Android devices. The exploit was initially sold on another forum for $50,000.
The vulnerability can be exploited by remote code execution to gain control of PPX-AnyLink devices. According to the forum post, the exploit is unpatched as yet.
The post author described the exploit an input validation issue and as a self-contained exploit that only needs a few seconds to pull off.
Since the release of the exploit, BlackMatter and LockBit ransomware gangs have been detected in intrusions where this exploit might have been used.
EntroLink, which is a South Korean vendor, did not comment on the discovery of the exploit, which was reported to it by a security researcher “панкейк” (Pancak3) last week. The company did not engage in any discussions with the researcher.
“I feel enough time has passed since continuously trying to reach the company with no response to uncensor the EntroLink PPX-AnyLink 0day item,” панкейк tweeted.
The Entrolink PPX-AnyLink exploit is the 54th known zero-day exploit used by ransomware gangs, according to security researchers Allan Liska and Pancak3.