Security News > 2021 > January > Hackers start exploiting the new backdoor in Zyxel devices
Threat actors are actively scanning the Internet for open SSH devices and trying to login to them using a new recently patched Zyxel hardcoded credential backdoor.
Last month, Niels Teusink of Dutch cybersecurity firm EYE disclosed a secret hardcoded backdoor account in Zyxel firewalls and AP controllers.
In an advisory, Zyxel states that they used the secret account to deliver firmware updates via FTP automatically.
Yesterday, cybersecurity intelligence firm GreyNoise detected three different IP addresses actively scanning for SSH devices and attempting to login to them using the Zyxel backdoor credentials.
GreyNoise CEO Andrew Morris told BleepingComputer that the threat actor does not appear to be scanning specifically for Zyxel devices but is instead scanning the Internet for IP addresses running SSH. When SSH is detected, it will attempt to brute force an account on the device, with one of the credentials tested being the new Zyxel 'zyfwp' backdoor account.
Zyxel released the 'ZLD V4.60 Patch 1' last month that removes the backdoor accounts on firewall devices.
News URL
Related news
- Salt Typhoon hackers backdoor telcos with new GhostSpider malware (source)
- RomCom hackers chained Firefox and Windows zero-days to deliver backdoor (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- Hackers Target Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor (source)
- Winnti hackers target other threat actors with new Glutton PHP backdoor (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)