Security News > 2021 > January > Hackers start exploiting the new backdoor in Zyxel devices

Hackers start exploiting the new backdoor in Zyxel devices
2021-01-06 03:00

Threat actors are actively scanning the Internet for open SSH devices and trying to login to them using a new recently patched Zyxel hardcoded credential backdoor.

Last month, Niels Teusink of Dutch cybersecurity firm EYE disclosed a secret hardcoded backdoor account in Zyxel firewalls and AP controllers.

In an advisory, Zyxel states that they used the secret account to deliver firmware updates via FTP automatically.

Yesterday, cybersecurity intelligence firm GreyNoise detected three different IP addresses actively scanning for SSH devices and attempting to login to them using the Zyxel backdoor credentials.

GreyNoise CEO Andrew Morris told BleepingComputer that the threat actor does not appear to be scanning specifically for Zyxel devices but is instead scanning the Internet for IP addresses running SSH. When SSH is detected, it will attempt to brute force an account on the device, with one of the credentials tested being the new Zyxel 'zyfwp' backdoor account.

Zyxel released the 'ZLD V4.60 Patch 1' last month that removes the backdoor accounts on firewall devices.


News URL

https://www.bleepingcomputer.com/news/security/hackers-start-exploiting-the-new-backdoor-in-zyxel-devices/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zyxel 378 0 69 85 46 200