Helldown ransomware: Intrusion through security vulnerability in Zyxel firewalls
IT researchers have observed that the Helldown ransomware strikes after breaking into networks through security gaps in Zyxel firewalls.
Ransomware has spread in the network.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Criminals are abusing security vulnerabilities in Zyxel firewalls to gain access to networks. IT security researchers have observed how they then used the Helldown ransomware to exfiltrate data on a large scale.
The IT security company Sekoia writes in an analysis that the Helldown ransomware is still quite new and was first described in August. The masterminds behind it abuse vulnerabilities to infiltrate victims' networks and distribute the ransomware. At the beginning of November, 31 victims were listed on the data leakage site (DLS) of the Helldown group. Among them was Zyxel Europe, reports Sekoia.
Intrusion through Zyxel vulnerabilities
The analysis revealed that at least eight victims provided IPSec VPN access with Zyxel firewalls; two of the victims apparently replaced their Zyxel firewalls with those from other manufacturers after they were compromised. In a September security bulletin, Zyxel warned of a command injection vulnerability in the IPSec VPN in various firewalls (CVE-2024-42057, CVSS 8.1, risk"high"), which is supposed to seal firmware version 5.39. Public exploit code had not been sighted by mid-November, explains Sekoia.
Videos by heise
Nevertheless, at the end of September, several users reported compromised firewalls with the vulnerable firmware version 5.38 in the Zyxel forum. Alleged configuration files were uploaded, but they contained base64-encoded MIPS ELF binaries, and new users were created on the firewalls. Zyxel published an exploit warningon October 9th, providing information on how to detect affected devices and what remediation measures admins can take.
All the evidence collected by Sekoia indicates that Zyxel firewalls are being targeted by Helldown, the authors write. The ransomware not only runs on Windows, but can also infect Linux systems. It can also attack ESX servers. The analysis by Sekoia goes into even more detail about the Helldown ransomware and also lists indicators of compromise (IOCs).
IT managers with Zyxel firewalls should quickly install the firmware updates provided and implement the instructions linked in the Zyxel exploit warning for a recommended, secure firewall configuration.
(dmk)
