Ransomgroup Helldown: Attacks on Zyxel Devices

defence

SEC Consult has observed a rise of attacks on Zyxel firewalls over the past two months affecting Zyxel ATP firewall (version 5.38 and above - i.e. we have seen successful attacks also on fully patched Zyxel ATP version 5.39 firewalls). Our SEC Defence incident response experts have responded to multiple such attacks in the past where the attackers have then further compromised the VEEAM backups of the victim, resulting in ransomware being deployed and company data being exfiltrated. Ransomnotes and analysis pointed to the ransomware group Helldown. We write this blogpost to highlight the need to remain vigilant and monitor activity on the Zyxel Firewalls, especially since there seems to be no official patch from the vendor as of the time of this blog post.

Source: Helldown leak page on Tor.
Source: Helldown leak page on Tor.

Update 2024-11-22:

  • Zyxel published a statement regarding the attacks. They urge to update to the newest firmware (v5.39) and rotate administrator passwords.
  • BSI reacted to the attacks. 

1. Threat Actor

Helldown appears to be a new ransomware group active since August 2024, Truesec has performed a detailed analysis of the threat actor's emergence in a recent blog post.
Like other ransomware grops Helldown uses double-extortion in which victims not only get encrypted but also blackmailed and threatened data to be leaked. (Watchguard) Since the threat actor only appeared recently, there is not much more information, yet.

Helldown published data about Zyxel on 2024-08-21, which suggests that they compromised Zyxel in September/October 2024 (see attached screenshot of the TAs leaked-page).

2. Additional Information


Other institutions and security researches have observed similar attacks. (CERT.at, Borncity) Some also suggest that the threat actors exploit a yet "undocumented Zyxel flaw" (Darkreading), which fits our observation that the exploited systems were on the newest patch level (v5.39). The Zyxel vulnerability exploited by Helldown, as documented by Truesec, appears to match the one reported by a user on the Zyxel forum. It does not seem to align with any CVE currently listed by Zyxel.

Additionally, Sekoia, who appears to have access to part of the attack files, have observed new accounts being created in the firewall (e.g. “SUPPOR87,” “SUPPOR817,” or “VPN”). SEC Consult did not witness such behaviour of the attacker, however, some of the systems we encountered were on the newest patch level (v5.39).

3. Defences

SEC Defence recommends, that companies running Zyxel firewall devices should:

  1. Ensure they are running the lastest version of the firmware (currently, this is v5.39 for the ATP device),
  2. proactively rotate their passwords, since there are indicators (Zyxel support) that there are vulnerabilities exposing passwords,
  3. monitor their firewalls (and firewall logs) for newly created users not matching the standard naming-convention of the organization,
  4. and to stay up to date with the recommendations and publications of Zyxel or the National CERTs.
     

To prepare for attacks, companies should:

  1. Collect their firewall logs, such as syslog, idealy on a centralized logging platform.
  2. If possible, secure the ingress point with a second firewall of a different vendor (intrusion-tolerant approaches).

 

This blogpost has been written by Dr. Michael Denzel und Tobias Weisskopf and published on behalf of SEC Defence