It was the day (or two days actually) before Christmas when Niels Teusing published a blog post about a back door in various Zyxel products . Niels originally found the vulnerability in Zyxel's USG40 security gateway, but it of course affects all Zyxel devices using the same firmware. According to Zyxel, the password was used "to deliver automatic firmware updates to connected access points through FTP" . So in addition to using a fixed password, it appears the password was also sent in the clear over FTP.
Zyxel products are typically used by small businesses as firewalls and VPN gateways. ("Unified Security Gateway"). There is little in terms of defense in depth that could be applied to protect the device, and in ssh and the VPN endpoint via HTTPS are often exposed. The default credentials found by Niels are not just limited to ftp. They can be used to access the device as an administrator via ssh.
So yet again, we do have a severe "stupid" vulnerability in a device that is supposed to secure what is left of our perimeter.
Likely due to the holidays, and maybe because Niels did not initially publish the actual password, widespread exploitation via ssh has not started until now. But we are no seeing attempts to access our ssh honeypots via these default credentials.
The scans started on Monday afternoon (I guess they first had to adapt their scripts in the morning) initially mostly from 126.96.36.199. On Tuesday, 188.8.131.52 joined in on the fun and finally today, we have 184.108.40.206. The last IP has been involved in scanning before.
What can/should you do?
And as a side note for Fortinet users. See what the new year just got you:
Defending Web Applications Security Essentials - SANS Cyber Security West: March 2021
Jan 6th 2021
Jan 6th 2021
1 week ago