A team of Dutch security researchers from Eye Control has discovered a backend account with networking products from Taiwanese company Zyxel, which puts their devices at risk.
More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers include an encrypted admin-level back account that can grant attackers access to devices via an SSH interface or web admin panel.
Device owners are advised to update systems as soon as time permits, and security experts warn that anyone ranging from DDoS network operators to state-sponsored hacking groups and ransomware gangs could misuse this encrypted back account to gain access to vulnerable devices and migrate to internal networks to launch Additional attacks.
The affected models include many of Zyxel’s best products from the line of business devices, typically deployed across private enterprises and government networks.
This includes Zyxel product lines such as:
- ATP Series – primarily used as a firewall.
- USG Series – Used as a hybrid firewall and gateway to a virtual private network.
- USG FLEX Series – Used as a hybrid firewall and gateway to a virtual private network.
- VPN Chain – Used as a gateway to the virtual private network.
- NXC Series – Used as the access point controller for the wireless network.
Many of these devices are used within the corporate network, and once compromised attackers allow them to be used to launch further attacks against internal hosts.
According to Zyxel, security patches are currently available for ATP Series, USG, USG Flex and VPN only, and patches for NXC Series are expected to appear in April 2021.
Installing the patches removes the back-end account, which, according to Eye Control researchers, uses the username (zyfwp) and the password (PrOw! AN_fXp).
The Dutch researchers said: The back-end account had access to the device’s root user because it was used to install firmware updates for other Zyxel devices interconnected via FTP.
Attackers now have access to a wide range of victims, most of them companies. The vulnerable devices are mainly marketed to companies as a way to control who can access the intranet and intranets from remote sites.
Security vulnerabilities in network devices are often exploited to attack businesses and government networks, and a new backdoor within Zyxel’s products may offer a whole new group of companies and government agencies the same type of attacks that have occurred over the past two years.