Zyxel says recently, the company has been hit by a series of attacks targeting high-end enterprise firewalls and VPN servers.
The networking equipment vendor emailed its customers saying a sophisticated threat actor has been targeting a number of Zyxel security appliances that have SSL or remote management turned on:
“We recently became aware of a sophisticated threat actor targeting a small subset of Zyxel security appliances that have remote management or SSL VPN enabled,” the company said in the email alert.
The attackers have been targeting Zyxel devices of the ZyWALL, USG, USG FLEX, and VPN series running on-premise ZLD firmware.
“We’re aware of the situation and have been working our best to investigate and resolve it,” Zyxel said.
The vendor shared that the threat actor tries to access a device through WAN. If successful, they can establish an SSL VPN tunnel with unknown user accounts. It is unclear if the attacker is looking for an old vulnerability to exploit or if they are exploring a zero-day bug that might be exploited later on. The company has not revealed if the attackers gained access to sensitive information from any of the company’s customers or if Zexel detected the attack early via honeytraps, and is giving its clients a warning.
Establishing a proper security policy for remote access is the most effective way to prevent exploitation.
The Record experts advise that if you don’t need to manage devices from the WAN, then disable HTTP/HTTPS services from the server’s configuration. But if you do need to manage devices from the WAN side, enable Policy Control and only allow access from trusted IP addresses. And enable GeolP filtering to filter out access from untrusted locations.
Over the past couple of years, companies like Pulse Secure, Palo Alto Network, Fortinet, Citrix, Cisco, Sonicwall, Sophos, and F5 Networks have been hit by a slew of attacks against their firewalls, DNS servers, and load balancers. These devices were often targeted by cyber-espionage and financially-motivated groups that are looking to steal sensitive information.