Threat Actors Actively Scanning for Vulnerable Zyxel Devices

Summary

Threat actors are actively scanning for open SSH ports after a vulnerability was recently revealed in Zyxel Firewall and AP Controllers. The vulnerability, CVE-2020-29583 , may allow for remote administrative access, granting an attacker the ability to change firewall settings, intercept traffic, create VPN accounts to gain access to the network behind the device, and perform additional administrative functions. This vulnerability exists due to hardcoded administrative credentials used to update firewall and AP controllers firmware. The login name is 'zyfwp' and has a static plain-text password that cannot be changed. Researchers at GreyNoise discovered at least three different IPs actively scanning for SSH ports and attempting to use the Zyxel backdoor credentials. Affected systems include Zyxel Firewall ATP, USG, USG FLEX, and VPN version 4.60, and Zyxel AP Controllers NXC2500 and NXC5500 version 6.10. Zyxel released the ZLD V4.60 Patch 1, and plans to roll out a patch for AP controllers on January 8, 2021.

Recommendations

The NJCCIC recommends users of affected Zyxel devices apply patches immediately after appropriate testing, apply the Principle of Least Privilege to all systems and services, and close unnecessary ports. Additional reporting can be found in the Bleeping Computer article.