TechnologyTop Stories
GBO_Ransomware

Zyxel VPN security flaw targeted by new ransomware attackers

Upon infiltrating a target network, these cybercriminals pilfer as many files as possible and then secure the system by implementing encryption

A fresh threat in the ransomware scene has surfaced, taking advantage of vulnerabilities in Zyxel firewalls and IPSec access points to invade victims, steal their data, and encrypt their systems.

This group, identified as Helldown, has been active since the summer of 2023, as reported by cybersecurity experts from Sekoia. They speculate that Helldown probably utilises an unknown vulnerability in Zyxel firewalls for initial access.

It has been observed that the collective is leveraging the vulnerability CVE-2024-42057, a command injection issue in IPSec VPN. In specific situations, this vulnerability empowers unverified users to execute operating system commands.

Upon infiltrating a target network, these cybercriminals pilfer as many files as possible and then secure the system by implementing encryption. The encryption method appears to be based on software that originated from the leaked LockBit 3 builder. Researchers have assessed that the encryptor is relatively unsophisticated but may still be in the process of being fine-tuned.

Even though it’s quite elementary, the encryptor managed to secure at least 31 organisations, as shown by the 31 victims listed on the group’s data leak site. According to BleepingComputer, this figure has since dropped to 28, spanning from November 7 to the present, possibly implying that certain organisations agreed to pay the ransom demand.

However, we lack knowledge regarding the organisations in question, or the financial sum the wrongdoers requested in exchange for the decryption key and the protection of the data.

A significant number of the affected entities appear to be mid-sized businesses primarily based in the United States and Europe.

If the researchers’ assertions are correct, and Helldown relies on flaws in Zyxel devices and IPSec instances to penetrate networks, the optimal defence approach would be to ensure these devices are always updated and access is restricted to trusted accounts only.

The CVE-2024-42057 vulnerability, which impacts IPSec, was remedied on September 3, with the earliest secure firmware version being 5.39. Regarding Zyxel, as the vulnerability has yet to be disclosed, it would be sensible to monitor upcoming advisories and apply the patch as soon as it is released.

Related posts

Next stop for Saudi Vision 2030: Training over 1,000 engineers in new AI programme

GBO Correspondent

Islamic Development Bank launches $2 bn coronavirus response package

GBO Correspondent

Ziina raises $850,000 in pre-seed round led by Class 5 Global

GBO Correspondent