Zyxel, a major producer of network devices is once again in hot water because it once again implemented a taboo when it comes to developing hardware and software solutions. Zyxel has once again used a hardcoded credential backdoor on its major lines of network and firewall devices. Threat actors are now busy scanning networks for companies that use Zyxel devices affected by this backdoor issue (CVE-2020-29583). This backdoor was detected by Dutch security firm Eye Control after their research dumped the binaries of a latest update. The plain text account and password quickly stood out.
Zyxel has already committed this mistake in creating hardcoded backdoors on its consumer devices known as the 2016 backdoor incident (CVE-2016-10401), for the reason of automatically applying patches and updates. This latest issue which affects over 100,000 enterprise-grade firewalls, VPN gateways and access point controllers, allows anyone who can access these devices through SSH to gain administrative privileges. This time, they already have root privilege unlike the previous incident here they have to gain low-level access which they need to elevate.
Threat actors are apparently engaging in a cat-and-mouse game against threat intelligence vendors in order to appear as not taking advantage of the Zyxel backdoor. According to cybersecurity intelligence firm GreyNoise CEO Andrew Morris, cybercriminals are instead performing Cobalt Strike sweeps to detect IP addresses running SSH, wherein detected targets are then subjected to a Zyxel backdoor check. It would be unsurprising however that they would engage in scanning since the backdoor issue was revealed.
Zyxel has since issued an advisory telling users to update to their latest patches for all affected devices except for AP Controllers which will receive patches on April 2021, which may force users to seek alternatives. This issue is more damaging than the one in 2016 as this affects corporate users with even more sensitive data versus 2016’s home users.