As per a Dutch cybersecurity firm called Eye Control, unknown hackers have set backdoor accounts in over 100,000 Zyxel networking devices. These include the ATP protection, USG, NXC, and VPN devices, which have backdoor vulnerabilities to let hackers access the devices with admin privileges. Patches for most are available.
Backdoor Vulnerability in Zyxel Devices
Zyxel is a networking devices manufacturer, which has hardcoded backdoor accounts set in most of its products. These vary in a wide range like the Advanced Threat Protection (ATP) series, the Unified Security Gateway (USG) series, and the USG FLEX series.
Also, the VPN series and NXC series devices have backdoors that could let hackers access the root level privileges to the compromised machine, either through a web admin panel or the SSH interface. This was found by researchers at Eye Control, who warned about the potential cyberattacks from this.
All the vulnerabilities in those devices can be exploited by DDoS botnet operators or ransomware groups or even nation-state hackers, to gain access into the core network and exploit it further. This becomes more intriguing since most of the devices are used by enterprises, and been at the edge of their networks to let anyone in if exploited.
This repeats the scene from past attacks on similar networking devices like Fortinet, Citrix, Cisco, etc, which had customers if both private and government agencies. Zyxel has issued patches for devices in ATP, USG, USG Flex, and VPN series, which would revoke the backdoor, and patches for the NXC series are expected in April this year.
Researchers have also discovered the plaintext passwords (zyfwp/PrOw!aN_fXp)
for these admin backdoors in the system binaries. These accounts were used for installing the firmware updates to other Zyxel devices in the network via FTP.