Emerging Threat: Helldown Ransomware Exploiting Zyxel Firewall Vulnerabilities
A new ransomware variant, dubbed “Helldown,” has surfaced, actively targeting corporate networks by exploiting vulnerabilities in Zyxel firewall devices. Cybersecurity researchers have identified the group’s sophisticated tactics and the vulnerabilities they are leveraging to breach corporate systems
.
The Helldown Attack Vector
The Helldown ransomware group has been specifically targeting Zyxel firewalls, particularly those using IPSec VPN for remote access. Their primary focus has been on a high-severity vulnerability, CVE-2024-11667, which affects the web management interface of Zyxel ZLD firewall firmware versions 5.00 through 5.38. This directory traversal flaw has a CVSS score of 7.5 and enables attackers to download or upload files through specially crafted URLs, potentially granting unauthorized system access.
Yarix analysts also uncovered evidence of the attackers utilizing Mullvad VPN, NordVPN, and ExpressVPN to anonymize their operations.
Helldown’s Sophisticated Methods
Helldown operators have demonstrated advanced techniques, employing both Windows and Linux versions of their ransomware:
Windows Variant: Based on LockBit 3.0 code, the Windows version utilizes methods such as deleting shadow copies and terminating critical processes to maximize damage before encryption.
Linux Variant: While less advanced, the Linux version focuses on VMware ESXi servers. It shuts down virtual machines before initiating encryption, showing a calculated approach to disrupting operations.
The Attack Chain
The typical Helldown attack chain unfolds as follows:
Initial Access: Exploitation of Zyxel firewall vulnerabilities, particularly CVE-2024-11667.
Persistence: Creation of malicious user accounts and modification of firewall policies.
Evidence of malicious firewall policies added by the threat actor was documented by Yarix.
Credential Theft: Use of tools like Mimikatz to dump credentials.
Lateral Movement: Utilizing RDP and other remote access tools for spreading within the network.
Double Extortion: Exfiltration of sensitive data followed by file encryption. Victims are threatened with public data leaks if ransoms are not paid.
Since August 2024, Helldown has claimed at least 31 victims, primarily targeting small to medium-sized businesses across the United States and Europe.
Notable Characteristics
Encryption Configurations: The ransomware employs XML-based configurations to streamline encryption tasks.
Offline Linux Variant: The Linux version operates offline, avoiding network communication to evade detection.
Virtual Machine Termination: Both variants can shut down virtual machine processes before encryption, bypassing certain security measures and sandbox environments.
Vendor Response and Mitigation
Zyxel has acknowledged the issue and released firmware version 5.39 on September 3, 2024, addressing CVE-2024-11667 and other vulnerabilities. However, some organizations have reported breaches even after applying the patches, likely due to:
Failing to update administrative passwords
Overlooking newly created malicious accounts
Recommended Mitigation Measures
Organizations using Zyxel firewalls should take the following steps immediately:
Update Firmware: Ensure devices are running firmware version 5.39 or later.
Change Administrative Passwords: Regularly update and secure all administrative credentials.
Disable Remote Management: If not required, disable remote management to minimize attack surface.
Enhance Network Segmentation: Implement robust network segmentation to limit lateral movement.
Monitor for Suspicious Activity: Actively monitor for unusual account creation, policy changes, and lateral movement.
No comments:
Post a Comment