Over 100.000 Zyxel firewalls, VPN gateways and access point controllers contain one hardcoded backdoor account at an administrator level that can give attackers root access into a Appliances, via the SSH interface or the web admin panel.
The backdoor account was discovered by Dutch Eye Control researchers.
Owners of vulnerable devices should inform systems as soon as possible.
According to the researchers, the backdoor account in Zyxel firewalls and VPN gateways could to be used by DDoS botnet operators, by ransomware gangs and other state hacking groups to gain access to vulnerable devices and penetrate internal networks for additional breaches and attacks.
Affected models include many of the Zyxel's leading corporate products, commonly used in private corporate and government networks.
The affected Zyxel product lines are:
- the Advanced Threat Protection (ATP) series - mainly used as a firewall
- Unified Security Gateway (USG) series - used as a hybrid firewall and VPN gateway
- the USG FLEX series - used as a hybrid firewall and VPN gateway
- the VPN series - used as a VPN gateway
- the NXC series - used as a WLAN access point controller
Currently, patches are only available for the ATP, USG, USG Flex and VPN series. According to Zyxel, updates for the NXC series are expected in April 2021.
Researchers easily discovered the backdoor account
Investigators security easily discovered the backdoor account, which they say uses the username “zyfwp”And the password“PrOw! AN_fXp“. Installing the patch can remove the backdoor account from the device.
"The plain text password was visible in one of the system binaries", Said the Dutch researchers.
The backdoor account had root access to device because it was used to install firmware updates on other Zyxel interconnected devices via FTP.
Corresponding incident with backdoor had happened in 2016 as well
The IoT security researcher, Ankit Anubhav, told ZDNet that Zyxel should have learned its lesson from a previous incident that took place in 2016.
Zyxel devices released at that time contained a secret backdoor mechanism that allowed anyone to upgrade a account at administrator level (on a Zyxel device) using the “zyad5001” SU (super-user) password.
"It's amazing to see another hardcoded credential, as Zyxel is well aware that the last time this happened, it was used by many botnetsAnubhav told ZDNet.
However, this time with CVE-2020-29583 (the name of the new backdoor account), things are worse, as it can give intruders direct access to the device. Furthermore, a variety of devices are affected, unlike the 2016 backdoor that only affected home routers.
The attackers can now target more victims, most of which are Companies, since vulnerable devices are mainly available in businesses as a way to control people accessing intranets and internal networks from remote locations.
Preparation for ransomware attack and espionage?
Vulnerabilities in Pulse Secure, Fortinet, Citrix, MobileIron and Cisco devices have been used to attack companies and government networks.
The new Zyxel backdoor account could also be used for such attacks.