CVE-2020-29583: Secret Backdoor Vulnerability in Zyxel Products

Threat actors exploit a recently discovered Zyxel secret backdoor in the wild. It’s high time to patch since adversaries are instantly searching for vulnerable installations to gain momentum before updates are installed.

CVE-2020-29583 Overview

The bug occurs since a number of Zyxel products incorporate an undocumented root account leveraging hardcoded login details accessible in the cleartext via firmware binaries. Initially, the backdoor account with username ‘zyfwp’ and a password ‘PrOw!aN_fXp’ was applied to push updates to Zyxel’s firewall and WLAN controllers. However, cyber–criminals might leverage it to obtain admin rights on any Zyxel installation. From there, threat actors are able to penetrate the internal environment or combine backdoor with such flaws as Zerologon to pivot to the targeted assets.

The researcher, who discovered the secret backdoor, considers that many Zyxel users might be affected. It is possible since the SSL VPN interface and the web interface keep the same port for operation, thus, pushing customers to leave port 443 open. Approximately 100 000 installations around the globe might be exposed.

Secret Backdoor Detection and Mitigation

The backdoor bug affects Zyxel USG, ATP, VPN, ZyWALL, and USG FLEX devices running ZLD V4.60 Patch 0 firmware. Notably, the static credentials have been brought in only with the last firmware release. Older versions are considered secure.

The backdoor was identified in November 2020 and addressed by Zyxel with the release of ZLD V4.60 Patch 1 on December 18, 2020. The customers are urged to introduce updates ASAP since the backdoor is actively being abused to attack Zyxel instances.

To detect the malicious activity associated with CVE-2020-29583, be welcome to download a fresh Sigma rule from our Threat Bounty developer Osman Demir: 

https://tdm.socprime.com/tdm/info/ycyiDhX05DEF/MHmL5nYBR-lx4sDxXjJU/

The rule has translations to the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, Chronicle Security, RSA NetWitness

EDR: Carbon Black

MITRE ATT&CK: 

Tactics: Persistence

Techniques: Create Account (T1136)

Search for the best SOC content suitable for your security solutions? Get a free subscription to the Threat Detection Marketplace and find more than 81,000 content items compatible with the majority of SIEM, EDR, NTDR, and SOAR platforms. For your comfort, all items are tagged with particular CVE, TTPs used by APT groups, and multiple MITRE ATT&CK® parameters. Enjoy threat hunting and want to develop your own Sigma rules? Join our Threat Bounty Program for a safer future!