The recently discovered backdoor account on Zyxel network appliances is now being used in the wild according to GreyNoise. Andrew Morris, CEO of GreyNoise told BleepingComputer that it doesn’t appear the threat actors they detected are looking for Zyxel devices specifically but instead they are scanning the Internet for any SSH-enabled devices. If SSH is available, the actors attempt to brute force logging into the device. One of the accounts tried just so happened to be the Zyxel backdoor account.
Zyxel has released patches for Advanced Threat Protection (ATP), Unified Security Gateway (USG), USG FLEX and VPN series devices to remove the backdoor account. The NXC series is expected to receive a patch removing the account in April. Binary Defense highly recommends organizations utilizing these devices patch them as soon as possible, and remove them from Internet access until the patch is applied. Four IP addresses have been identified by Greynoise so far attempting to break in to ssh using the Zyxel backdoor account, but many more threat actors will likely add the Zyxel password to their list. A best practice for any server using SSH for remote access is to disable the password authentication method entirely and only allow certificate-based authentication.
Since May of this year, GreyNoise has observed an unknown actor quietly fingerprinting SSH honeypots on the Internet, exclusively through Tor. The actor is using Cobalt Strike's SSH client. This is likely being done to avoid threat intelligence vendors.https://t.co/UUN9VCuyfG pic.twitter.com/vGxInpR84M
— GreyNoise (@GreyNoiseIO) September 16, 2020