November 25, 2024 at 12:56PM
Zyxel warns that threat actors are exploiting a patched command injection vulnerability (CVE-2024-42057) in its firewalls, allowing remote code execution. A ransomware group, Helldown, has targeted affected devices. Users must upgrade to firmware 5.39 as earlier versions are susceptible to attacks. Immediate action is advised for optimal protection.
### Meeting Takeaways
1. **Vulnerability Alert**: Zyxel has issued a warning regarding a command injection vulnerability (CVE-2024-42057) in its firewalls that could enable remote attackers to execute OS commands without authentication.
2. **Patch Release**: Zyxel released firmware version 5.39 on September 3, 2024, to address this vulnerability and six other security defects. Only devices using User-Based-PSK authentication with user names longer than 28 characters are affected.
3. **Ongoing Threats**: There has been a significant increase in attacks targeting Zyxel firewalls running older firmware versions (4.32 to 5.38), with threat actors creating rogue user accounts to access networks via SSL VPN tunnels.
4. **Call for Action**: Zyxel EMEA recommends that all users update administrator and user accounts for enhanced security as many devices have not had their admin passwords changed post-attack.
5. **Ransomware Activity**: Cybersecurity firm Sekoia reported that the Helldown ransomware group has claimed at least 31 victims and has specifically targeted Zyxel firewalls as part of their attack methods.
6. **Confirmed Exploits**: Evidence suggests that Helldown exploited CVE-2024-42057 to create rogue accounts on vulnerable Zyxel devices, reinforcing the need for immediate firmware updates.
7. **Zyxel Advisory**: Zyxel confirmed awareness of recent attacks but assured that vulnerabilities are not present in firmware version 5.39. Users are strongly urged to upgrade to this patched version or temporarily disable remote access on unpatched devices.
8. **General Recommendation**: Organizations should prioritize upgrading their Zyxel devices to the latest firmware to mitigate security risks and should consider disabling remote access if unable to do so immediately.