Helldown Ransomware Exploits Zyxel Zero-Day Vulnerability

Home/Exploitation, Internet Security, Ransomware, Security Advisory, Security Update, vulnerability, Zero Day Attack/Helldown Ransomware Exploits Zyxel Zero-Day Vulnerability

Helldown Ransomware Exploits Zyxel Zero-Day Vulnerability

A new ransomware, “Helldown,” is exploiting vulnerabilities in Zyxel firewalls to breach corporate networks. Researchers have linked the group to attacks targeting Zyxel devices, especially those using IPSec VPN for remote access.

Helldown Ransomware

The exploited vulnerability, CVE-2024-11667, is a directory traversal flaw in the web management interface of Zyxel ZLD firewall firmware versions 5.00 to 5.38.

This high-severity vulnerability, with a CVSS score of 7.5, allows attackers to upload or download files via crafted URLs, potentially leading to unauthorized access and system compromise.

Helldown operators use both Windows and Linux variants of their ransomware. The Windows version, based on LockBit 3.0, uses advanced tactics like deleting shadow copies and terminating critical processes before encryption.

The less sophisticated Linux variant targets VMware ESXi servers, shutting down virtual machines before encryption.

The attack begins with exploiting Zyxel firewall vulnerabilities to gain initial access. Threat actors then create malicious user accounts and use tools like Mimikatz for credential theft. They spread laterally through the network using RDP and other remote access tools.

Helldown employs a double extortion tactic, exfiltrating sensitive data before encrypting files. Victims are threatened with data leaks on the group’s dark web portal if they fail to pay the ransom.

Since August 2024, the ransomware has targeted at least 31 victims, primarily small to medium-sized businesses in the U.S. and Europe.

Helldown ransomware uses XML-based configurations to guide encryption tasks, reflecting a structured approach. The Windows variant employs hardcoded keys and checks for administrator privileges to maximize impact, while the Linux version operates offline to evade detection.

The ransomware can terminate virtual machine processes before encryption, bypassing security measures.

Zyxel released patches for CVE-2024-11667 and related vulnerabilities in firmware version 5.39 on September 3, 2024. However, some organizations remained compromised, likely due to unchanged admin passwords or overlooked malicious accounts.

Mitigation

To counter the Helldown ransomware threat, organizations using Zyxel firewalls should take the following steps:

  • Update Firmware: Upgrade to firmware version 5.39 or later immediately to address known vulnerabilities, including CVE-2024-11667.
  • Change Administrative Passwords: Replace all default and existing administrative passwords with strong, unique ones to prevent unauthorized access.
  • Disable Remote Management: Turn off remote management access unless absolutely necessary to limit potential attack vectors.
  • Strengthen Network Segmentation: Implement robust segmentation to minimize the impact of lateral movement within the network.
  • Monitor for Anomalies: Actively check for unusual activities such as unauthorized account creation and lateral movement using monitoring tools or security logs.

These measures, combined with continuous security audits, can significantly reduce the risk posed by Helldown and similar ransomware threats.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!