Security News > 2021 > January > Hackers start exploiting the new backdoor in Zyxel devices
Threat actors are actively scanning the Internet for open SSH devices and trying to login to them using a new recently patched Zyxel hardcoded credential backdoor.
Last month, Niels Teusink of Dutch cybersecurity firm EYE disclosed a secret hardcoded backdoor account in Zyxel firewalls and AP controllers.
In an advisory, Zyxel states that they used the secret account to deliver firmware updates via FTP automatically.
Yesterday, cybersecurity intelligence firm GreyNoise detected three different IP addresses actively scanning for SSH devices and attempting to login to them using the Zyxel backdoor credentials.
GreyNoise CEO Andrew Morris told BleepingComputer that the threat actor does not appear to be scanning specifically for Zyxel devices but is instead scanning the Internet for IP addresses running SSH. When SSH is detected, it will attempt to brute force an account on the device, with one of the credentials tested being the new Zyxel 'zyfwp' backdoor account.
Zyxel released the 'ZLD V4.60 Patch 1' last month that removes the backdoor accounts on firewall devices.
News URL
Related news
- Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack (source)
- Hackers Target Middle East Governments with Evasive "CR4T" Backdoor (source)
- Iranian hackers pose as journalists to push backdoor malware (source)
- Kimsuky hackers deploy new Linux backdoor via trojanized installers (source)
- Kimsuky hackers deploy new Linux backdoor in attacks on South Korea (source)