‘Sophisticated threat actor’ is targeting Zyxel firewalls and VPNs

Customers of networking solutions products made by Zyxel have been warned that a “sophisticated” threat actor is actively targeting its firewalls and VPNs.

In a screenshot of an advisory posted on Twitter, the company advised users to tighten their security protocols in defense against the as-yet-unnamed attackers.

The letter reads: “We recently became aware of a sophisticated threat actor targeting a small subset of Zyxel security appliances that have remote management or SSL VPN enabled, namely in the USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware. Those running the nebula cloud management mode are not affected.

“We’re aware of the situation and have been working our best to investigate and resolve it.”

The attacker in question has been attempting to access devices through WAN, Zyxel explained. If successful, the attacker could bypass authentication and connect to unknown accounts in the devices, “such as ‘zyxel_sllvpn’, ‘zyxel_ts’, or ‘zyxel_vpn_test’”.

Zyxel said the most effective way of reducing the attack surface is “maintaining a proper security policy for remote access”, including blocking unknown IP addresses and only enabling access from trusted locations.

The company advises users to disable HTTP/HTTPS services from WAN, unless they have to manage devices from the WAN side, and if so, to follow the above practices.

The Zyxel website contains a detailed account of best practices for securing a distributed network infrastructure.

Source: https://portswigger.net/daily-swig/sophisticated-threat-actor-is-targeting-zyxel-firewalls-and-vpns