Zyxel Firewalls Exploited for Ransomware Attacks; 20 Security Flaws Discovered in Advantech Access Points

Zyxel Firewalls Exploited for Ransomware Attacks; 20 Security Flaws Discovered in Advantech Access Points

New security vulnerabilities emerge daily, forcing organizations to continuously monitor their expanding attack surface to prevent exploitation. Among the latest critical threats are vulnerabilities affecting Zyxel firewalls and Advantech wireless access point devices.

In this blog, we will outline the critical vulnerabilities impacting these devices, their potential consequences, and the steps organizations can take to secure their networks.

Active Exploitation of Zyxel Firewalls with CVE-2024-11667

Zyxel recently disclosed an actively exploited high-severity vulnerability that has been linked to ransomware deployments targeting its firewalls. This vulnerability, identified as CVE-2024-11667 and assigned a CVSS score of 7.5, presents significant risks for affected users.

According to Zyxel’s advisory updated two days ago, the flaw is a directory traversal vulnerability located in the web management interface of specific firewall firmware versions. Exploitation of this vulnerability allows attackers to download or upload files using specially crafted URLs. This capability could be weaponized to deliver ransomware, exfiltrate sensitive data, or execute further malicious actions.

Details of CVE-2024-11667 (SOCRadar Vulnerability Intelligence)

Details of CVE-2024-11667 (SOCRadar Vulnerability Intelligence)

The active exploitation of CVE-2024-11667 urges immediate action for Zyxel firewall users. Organizations using affected firmware versions must prioritize patching or implementing interim mitigations to secure their systems against this rapidly evolving threat.

How Was CVE-2024-11667 Exploited?

In its advisory published on November 21, Zyxel confirmed that threat actors are actively targeting its firewalls using previously disclosed vulnerabilities and CVE-2024-11667.

The activity aligns with observations made by researchers investigating Helldown ransomware, which has been linked to exploiting CVE-2024-11667 to gain initial access to victim networks. View the advisory here.

Exploitation of these vulnerabilities could compromise sensitive data, such as credentials. Attackers can use this access to establish VPN connections, modify firewall settings, and enable further exploitation or data exfiltration, severely undermining network security and operations.

Affected Zyxel firmware and versions include:

  • ATP Series: versions V5.00 through V5.38
  • USG FLEX Series: versions V5.00 through V5.38
  • USG FLEX 50(W) Series: versions V5.10 through V5.38
  • USG20(W)-VPN Series: versions V5.10 through V5.38

Note: Devices operating in Nebula cloud management mode are not affected, as stated by Zyxel here.

What is Helldown Ransomware?

Helldown is a ransomware group that surfaced in August 2024 and has since gained notoriety for targeting small and medium-sized businesses, primarily in the United States and Europe. By November 7, 2024, the group had reportedly compromised 31 victims, including Zyxel’s European subsidiary.

The Helldown ransomware group also reportedly employs various tactics to maximize the impact of its attacks, including shadow copy deletion to hinder data recovery, script drop and execution to automate malicious actions, machine encryption to lock critical files, and trace removal to evade detection and forensics.

To sum up the group’s activities, here are its key strategies:

  • Double Extortion Tactics: The group exfiltrates large volumes of sensitive data before encrypting files. Victims face additional pressure as Helldown threatens to publicly expose the stolen information on their data leak site if the ransom is not paid.
  • Exploitation of Network Device Vulnerabilities: To gain initial access, Helldown frequently exploits vulnerabilities in network devices, including Zyxel firewalls. Once inside the network, they deploy custom ransomware to encrypt files and demand payments for decryption.
  • Multiplatform Ransomware: With ransomware variants targeting both Windows and Linux systems, Helldown demonstrates the technical ability to attack diverse infrastructures. Their Windows ransomware is reportedly derived from the leaked LockBit 3 builder, highlighting their advanced capabilities.

Recommendations to Prevent Exploitation of Your Zyxel Device

To protect networks and mitigate potential attacks, Zyxel has outlined several proactive measures for users of their devices. Following these guidelines is essential to prevent exploitation of vulnerabilities like CVE-2024-11667 and secure organizational infrastructures.

Zyxel has confirmed that firewall firmware version 5.39, released on September 3, 2024, and later, addresses known exploited vulnerabilities, including CVE-2024-11667. Updating firmware and changing admin passwords are strongly urged to prevent threat actors from exploiting previously disclosed vulnerabilities.

If an immediate firmware update is not feasible, it is recommended to temporarily disable remote access to devices. For additional advice, Zyxel suggests going over general cybersecurity best practices and reviewing their guide for protecting distributed network infrastructures.

Additionally, in combating ransomware threats, organizations should:

  • Continuously watch for unauthorized access attempts to detect potential breaches early.
  • Regularly update passwords to close off access for any previously breached accounts.
  • Follow the 3-2-1 backup strategy—keeping three copies of data, on two different media, with one off-site—to ensure operational continuity in case of ransomware attacks.

Proactively Safeguard Your Network with SOCRadar’s Vulnerability Intelligence

Staying ahead of cyber threats is critical as vulnerabilities are discovered daily. Unpatched systems and overlooked weaknesses expose your organization to risks like ransomware, data breaches, and operational disruptions.

To combat these threats, SOCRadar’s Vulnerability Intelligence delivers real-time insights into newly disclosed vulnerabilities, their severity, and exploitability. It helps you identify which assets are most at risk and prioritize patching based on their criticality to your operations.

By integrating SOCRadar’s Vulnerability Intelligence, your security team gains access to:

  • Comprehensive databases of vulnerabilities with contextual risk scoring.
  • Timely alerts on exploits and actively targeted flaws.
  • Tailored remediation recommendations for effective response.
Don’t let vulnerabilities compromise your business. Use SOCRadar’s Vulnerability Intelligence to take control of your security posture.

Don’t let vulnerabilities compromise your business. Use SOCRadar’s Vulnerability Intelligence to take control of your security posture.

Indicators of Compromise (IOCs)

Researchers have identified several Indicators of Compromise (IOCs) linked to Helldown ransomware attacks, particularly in its exploitation of Zyxel devices. These IOCs, in the format of SHA256 hashes, provide crucial artifacts for detecting potential breaches and understanding the tools and techniques employed by the threat group.

Helldown Windows Payloads

  • 0bfe25de8c46834e9a7c216f99057d855e272eafafdfef98a6012cecbbdcfab
  • 7cd7c04c62d2a8b4697ceebbe7dd95c910d687e4a6989c1d839117e55c1cafd7
  • 7731d73e048a351205615821b90ed4f2507abc65acf4d6fe30ecdb211f0b0872
  • 3e3fad9888856ce195c9c239ad014074f687ba288c78ef26660be93ddd97289e

Helldown Windows Icons, Ransom Notes, and Scripts

  • 2621c5c7e1c12560c6062fdf2eeeb815de4ce3856376022a1a9f8421b4bae8e1
  • 47635e2cf9d41cab4b73f2a37e6a59a7de29428b75a7b4481205aee4330d4d19
  • cb48e4298b216ae532cfd3c89c8f2cbd1e32bb402866d2c81682c6671aa4f8ea
  • 67aea3de7ab23b72e02347cbf6514f28fb726d313e62934b5de6d154215ee733
  • 2b15e09b98bc2835a4430c4560d3f5b25011141c9efa4331f66e9a707e2a23c0 (Overlaps with Darkrace and Donex malware families according to Sekoia)

Helldown Linux Payload

  • 6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd

Helldown Linux Ransom Note

  • 9ab19741ac36e198fb2fd912620bf320aa7fdeeeb8d4a9e956f3eb3d2092c92c

Zyxel Compromise Artifact (zzz1.conf)

  • ccd78d3eba6c53959835c6407d81262d3094e8d06bf2712fefa4b04baadd4bfe

Critical Vulnerabilities Discovered in Advantech Wireless Devices

In other news, multiple serious vulnerabilities were discovered and subsequently addressed in Advantech EKI wireless access point devices. The discovery involves a total of 20 vulnerabilities, posing high risk for industrial operations. These devices, essential for environments like EV battery production lines, play an important role in communication and control systems, and disruptions could significantly impact operations.

Among the vulnerabilities, six are deemed critical, each with a CVSS score of 9.8. Five (CVE-2024-50370 through CVE-2024-50374) result from improper neutralization of operating system commands, and one (CVE-2024-50375) relates to missing authentication for critical functions. Exploiting these flaws could lead to Remote Code Execution (RCE), enabling attackers to hijack devices or infiltrate networks.

Notably, researchers highlighted an over-the-air attack chain involving CVE-2024-50376 (Cross-Site Scripting) and CVE-2024-50359 (OS Command Injection), two other vulnerabilities from the discovery.

Possible Attack Vectors

Researchers found that the vulnerabilities in Advantech wireless access points expose two main attack paths:

  1. LAN/WAN Exploitation: Attackers with direct access to the network can craft malicious requests targeting the device’s vulnerable services.
  2. Over-the-Air Attacks: This unique method leverages wireless proximity, allowing attackers to exploit vulnerabilities without needing network access.

They demonstrated an over-the-air attack chain that begins with broadcasting rogue beacon frames from a malicious access point – when an administrator accesses the device’s ‘Wi-Fi Analyzer’ section, unsanitized data from these frames triggers CVE-2024-50376 (CVSS 7.3), allowing arbitrary JavaScript injection. Combining the flaw with another, namely CVE-2024-50359 (CVSS 7.2), attackers can potentially execute deeper system manipulations, such as establishing reverse shells for ongoing control of compromised devices.

How does Over-the-Air attack work? (Source: Nozomi Networks)

How does Over-the-Air attack work? (Source: Nozomi Networks)

Exploitation of the Advantech vulnerabilities can lead to severe outcomes. Attackers may establish persistent access by installing backdoors, allowing them to repeatedly exploit the network and maintain prolonged control. Critical operations, such as automated machinery control, risk disruption through Denial of Service (DoS) attacks, potentially halting production and causing significant losses. Additionally, compromised devices can serve as gateways for lateral movement, enabling further attacks, such as data theft or the deployment of ransomware, across the network.

These attack vectors highlight the risks to industrial wireless networks, where vulnerabilities can disrupt both localized operations and broader system interconnectivity.

Firmware Updates Are Available by Advantech

Advantech has addressed the identified vulnerabilities by releasing updated firmware versions for the affected devices:

  • EKI-6333AC-2G and EKI-6333AC-2GD: version 1.6.5
  • EKI-6333AC-1GPO: version 1.2.2

Organizations are strongly encouraged to apply these updates immediately. Upgrading to the latest firmware versions is essential to protect devices from unauthorized access, mitigate risks of remote code execution, and prevent potential exploitation of these vulnerabilities.

As your digital footprint expands, so does your exposure to cyber threats. Unmonitored assets and shadow IT leave your organization vulnerable to attacks, making visibility crucial to your defense strategy. SOCRadar’s Attack Surface Management (ASM) provides a 360-degree view of your external attack surface, identifying exposed assets, open ports, and vulnerabilities before attackers do.

Secure your digital perimeter with SOCRadar ASM and reduce the risk of costly breaches. Gain the visibility you need to protect your organization effectively.

Secure your digital perimeter with SOCRadar ASM and reduce the risk of costly breaches. Gain the visibility you need to protect your organization effectively.

With SOCRadar’s ASM module, you can:

  • Detect and map all digital assets linked to your organization.
  • Identify potential weak points, including unpatched systems and misconfigured services.
  • Continuously monitor your attack surface for changes and emerging threats.

Article Link: https://socradar.io/zyxel-firewalls-exploited-for-ransomware-attacks-20-security-flaws-discovered-in-advantech-access-points/