Recent cyberattacks have been targeting Zyxel Firewalls, exploiting a critical vulnerability to deploy the dangerous Helldown ransomware. The German CERT (CERT-Bund) and Zyxel have issued warnings to organizations to take immediate steps to protect their network devices.
The vulnerability, known as CVE-2024-11667, affects the Zyxel ZLD firmware in the ATP and USG FLEX firewall series. Five German entities have already fallen victim to these attacks, highlighting the risks of leaving such vulnerabilities unpatched.
CVE-2024-11667 is a directory traversal vulnerability in the Zyxel ZLD firmware versions 4.32 to 5.38. This flaw allows attackers to bypass security measures and gain unauthorized access to systems, steal credentials, create backdoor VPN connections, and perform other malicious activities.
Devices running ZLD firmware versions between 4.32 and 5.38 with remote management or SSL VPN enabled are most at risk. It is crucial to note that devices managed through the Nebula cloud management system are not affected by this vulnerability.
The Helldown ransomware, which emerged in August 2024, is now exploiting CVE-2024-11667 to target vulnerable Zyxel firewalls. Derived from the LockBit ransomware builder, Helldown uses advanced techniques to infiltrate networks and encrypt valuable data, disrupting operations.
As of now, Helldown has listed 32 victims worldwide, including five organizations in Germany. The ability of the ransomware to exploit this vulnerability is concerning, as even patched systems may remain vulnerable if attackers can access them using unchanged administrator credentials.
The primary attack vector involves exploiting the CVE-2024-11667 vulnerability to gain initial access to targeted systems. Attackers then use post-exploitation tactics to establish persistent backdoors for continued access, leading to data exfiltration, file encryption, and operational disruptions.
Organizations using Zyxel firewalls should monitor their systems for signs of compromise, such as unusual VPN connections, changes to firewall rules, unauthorized logins, and stolen credentials for Active Directory access.
To mitigate risks, organizations should upgrade to ZLD 5.39, change passwords, remove unauthorized accounts, and tighten security policies. Zyxel recommends disabling unnecessary remote access, changing default ports, enabling two-factor authentication, and using Geo-IP filtering for enhanced security.
Regular backups, encryption, and continuous monitoring are essential for securing systems against ransomware attacks like Helldown. Timely firmware updates and strong access controls are critical in preventing future cyberattacks on network devices.