Security News

Threat actors are actively scanning the Internet for open SSH devices and trying to login to them using a new recently patched Zyxel hardcoded credential backdoor. Last month, Niels Teusink of Dutch cybersecurity firm EYE disclosed a secret hardcoded backdoor account in Zyxel firewalls and AP controllers.

Zyxel has released a patch to address a critical vulnerability in its firmware concerning a hardcoded, undocumented secret account that could be abused by an attacker to login with administrative privileges and compromise its networking devices. The flaw, tracked as CVE-2020-29583, affects version 4.60 present in a wide-range of Zyxel devices, including Unified Security Gateway, USG FLEX, ATP, and VPN firewall products.

Over 100,000 Zyxel devices are potentially vulnerable to a secret backdoor caused by hardcoded credentials used to update firewall and AP controllers' firmware. Niels Teusink of Dutch cybersecurity firm EYE discovered a secret hardcoded administrative account in the latest 4.60 patch 0 firmware for some Zyxel devices.

Over 100,000 Zyxel devices are potentially vulnerable to a secret backdoor caused by hardcoded credentials used to update firewall and AP controllers' firmware. Niels Teusink of Dutch cybersecurity firm EYE discovered a secret hardcoded administrative account in the latest 4.60 patch 0 firmware for some Zyxel devices.

While analyzing artifacts from the SolarWinds Orion supply-chain attack, security researchers discovered another backdoor that is likely from a second threat actor. The analysis shows that the threat actor added in the legitimate SolarWinds file four new parameters to receive signals from the command and control infrastructure.

Researchers at Sophos noticed recently that the operators of multiple ransomware families have been using a backdoor named SystemBC, which provides attackers a connection to compromised devices and which uses the Tor anonymity network to hide command and control communications. Designed with support for the execution of commands and to allow adversaries to download and execute scripts, executables, and DLLs, the backdoor is continuously evolving, with recent samples having switched from creating a SOCKS5 proxy to using the Tor network for communication purposes.

America's nuclear weapons agency was hacked by the suspected Russian spies who backdoored SolarWinds' IT monitoring software and compromised several US government bodies, and Microsoft was caught up in the same cyber-storm, too, it was reported Thursday. The Windows giant uses SolarWinds' network management suite Orion, downloads of which were secretly trojanized earlier this year so that when installed within certain targets - such as the US government departments of State, Treasury, Homeland Security, and Commerce - the malicious code's masterminds could slip into their victims' networks, execute commands, read emails, steal data, and so on.

The US Cybersecurity and Infrastructure Security Agency said that the APT group behind the recent compromise campaign targeting US government agencies used more than one initial access vector. "CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available," the agency said.

A new report published by ReversingLabs today and shared in advance with The Hacker News has revealed that the operators behind the espionage campaign likely managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the malicious backdoor through its software release process. "The source code of the affected library was directly modified to include malicious backdoor code, which was compiled, signed, and delivered through the existing software patch release management system," ReversingLabs' Tomislav Pericin said.

Commodity malware backdoor SystemBC has evolved to now automate a number of key activities, as well as use the anonymizing Tor platform. Initially, ransomware groups that leverage SystemBC have been observed first infecting systems using spam or phishing emails.