Helldown ransomware exploits Zyxel VPN flaw to breach networks

Helldown ransomware exploits Zyxel VPN flaw to breach networks

November 19, 2024 at 12:03PM

The ‘Helldown’ ransomware operation targets vulnerabilities in Zyxel firewalls, enabling data theft and device encryption. Newly documented, it has quickly amassed victims, primarily small to medium-sized firms. Recent findings indicate potential exploitation of a specific Zyxel vulnerability, with ongoing investigations into its tactics and payloads.

**Meeting Takeaways: Helldown Ransomware Operation Overview**

1. **Overview and Targeting**:
– Helldown ransomware is exploiting vulnerabilities in Zyxel firewalls to penetrate corporate networks, stealing data and encrypting devices.
– French cybersecurity firm Sekoia has medium confidence in these reports based on recent observations.

2. **Victim Details**:
– Since its emergence in summer 2024, Helldown has gained traction, listing 31 victims on its extortion portal, primarily targeting small and medium-sized firms in the U.S. and Europe. This number has decreased to 28, indicating possible ransom payments.

3. **Technical Insights**:
– The ransomware operates with similarities to LockBit 3 and features basic encryptor functionalities, using straightforward methods (e.g., batch files for process termination).
– A Linux variant is under development, targeting VMware files, with incomplete functionalities.

4. **Specific Vulnerabilities**:
– At least eight victims utilized Zyxel firewalls, indicating a specific targeting pattern.
– Evidence suggests exploitation of the CVE-2024-42057 vulnerability, fixed in firmware version 5.39, which may have been leveraged for unauthorized access.

5. **Malicious Tools and Activity**:
– The threat actors employed a malicious account ‘OKSDW82A’ and a configuration file ‘zzz1.conf’ linked to attacks.
– Suspicious activities associated with these tools have been reported on Zyxel forums.

6. **Future Vigilance Recommended**:
– Ongoing monitoring for potential exploits and vulnerabilities related to Zyxel products is essential for preventing further breaches.
– Communication with Zyxel regarding the reported attacks is pending, highlighting the need for an immediate response.

7. **Overall Assessment**:
– Confirmed patterns suggest that Helldown is rapidly evolving, presenting a significant threat, particularly to organizations using Zyxel firewalls. Immediate action and increased cybersecurity measures are advised.

Full Article