- Researchers see that Helldown abuses Zyxel VPN to break networks
- The error was previously undisclosed
- The scammers mainly target SMEs in the US and Europe
There appears to be a new ransomware player in town that is exploiting vulnerabilities in Zyxel firewalls and IPSec access points to compromise victims, steal their data, and encrypt their systems.
The group is called Helldown and has been active since the summer of 2023. A new report from cybersecurity researchers has exposed Sekoia, noting that the group is most likely using a previously undisclosed vulnerability in Zyxel’s firewalls for initial access.
Additionally, the group appears to be exploiting CVE-2024-42057, a command injection bug in IPSec VPN that, in certain scenarios, allows unauthenticated users to execute OS commands.
Dozens of victims
When they invade a target network, they steal as many files as possible and encrypt the system. For the encryption, they appear to be using a piece of software developed with the leaked LockBit 3 builder. The researchers said the encryptor was relatively simple, but was likely still under development.
As basic as it is, the encryptor still has at least 31 organizations locked down, as that’s the number of victims listed on the group’s data breach site. According to BleepingComputerBetween November 7 and today, the number dropped to 28, which could indicate that some organizations paid the ransom demand. We don’t know who the victims are, or how much money the crooks demanded in exchange for the decryption key and for keeping the data safe.
Most victims appear to be small and medium-sized organizations in the United States and Europe.
If the researchers are indeed right, and Helldown is using flaws in Zyxel and IPSec instances to breach the networks, the best way to defend is to keep these devices up to date and restrict access to trusted accounts. CVE-2024-42057 affecting IPSec was fixed on September 3 and the first clean firmware version is 5.39. For Zyxel, since the vulnerability has still not been made public, it would be wise to keep an eye on upcoming advisories and implement the patch as soon as it is published.
Via BleepingComputer