TeamT5 released mitigation and response guidelines to two vulnerabilities in Zyxel ZyWall USG 20/50, the firewall service. Both vulnerabilities were exploited in the wild and detected by the TeamT5 vulnerability research team. We temporarily tracked the two vulnerabilities as T5-VUL-11705 and T5-VUL-12195. The threat actors can compromise the Zyxel ZyWall USG with T5-VUL-11705 and T5-VUL-12195. Our investigation suggests that the threat actors exploited the compromised Zyxel Zywall USG devices as botnet.
For more detail, users of ThreatVision can check our Vulnerability Insights Report (aka VIR), VIR 2023 September H1: T5-VUL-11705. VIR provides technical detail about critical and highly exploitable vulnerabilities. Users can use VIR to mitigate the threat posed by these critical and highly exploitable vulnerabilities.
Executive Summary
T5-VUL-11705 is a server-side request forgery (SSRF) vulnerability that allows threat actors to bypass authentication and steal credential. T5-VUL-12195 is an authenticated command injection vulnerability. When combined the use of T5-VUL-11705 and T5-VUL-12195, the threat actors can use unauthenticated users to achieve remote code execution (RCE).
We assess the severity level of T5-VUL-11705 and T5-VUL-12195 as critical and urge our customers to use this report to mitigate the effects. Zyxel ZyWall USG is a firewall service with VPN functionality. Public research suggests that over 20,000 devices are vulnerable to both vulnerabilities, including over 1,500 devices in Taiwan. Furthermore, both vulnerabilities were fully weaponized. Chinese threat actors have exploited both vulnerabilities, targeting entities in Taiwan and deploying the compromised devices as botnets since July 2023. We detailed the information in Exploitation Status.
Based on the current exploitation status of T5-VUL-11705 and T5-VUL-12195, we have depicted the Possible Attack Scenario in this report. Moreover, we identified that the threat actors have deployed botnet malware, which we dubbed EmergeBot, after exploiting the vulnerabilities in Zyxel ZyWall. We concluded the malware introduction and IoCs in Appendix II: Malware Table and Appendix III: Indicators of Compromise (IoC). Most importantly, we prepare a comprehensive Mitigation and Response Advisory for our customers.
The Mitigation Advisory includes:
Official Patch Information
- Threat Hunting Tools, including:
- A Vulnerability Scanner
- Two Snort Rules
- The first rule will detect potential attack attempts of T5-VUL-11705.
- The second rule will detect potential connection of EmergeBot.
Exploitation Status
The vulnerabilities have affected a board version of Zyxel ZyWall USG models.
- Public research suggests that over 20,000 Zyxel ZyWall USG devices worldwide are affected, including over 1,500 devices in Taiwan.
- Since July 2023, Chinese threat actors have exploited the vulnerabilities in the Zyxel ZyWall USG-20/50 series targeting entities in Taiwan.
- According to our analysis, the threat actors deployed at least two malware, Microsocks and EmergeBot, for botnet attacks.
Patch Status
The latest version [1] of the Zyxel ZyWall USG 20/50 series has patched T5-VUL-11705, while the latest version of model USG20 and USG50 are still vulnerable to T5-VUL-12195. Moreover, the USG 20 series are already End-of-Life (EOL) products: Zyxel will not provide updates for the product line in the future. [2]
| USG20 (3.30 BDS) | USG50 (3.30 BDQ) | USG60 (V4.73(AAKY.2)C0) | |
|---|---|---|---|
| T5-VUL-11705 | Patched | Patched | Patched |
| T5-VUL-12195 | Vulnerable | Vulnerable | Patched |
Mitigation and Response Advisory
1. Official Patch Information
To mitigate the impact of the vulnerabilities, we highly recommend our customers follow the instructions below:
- Upgrade your Zyxel USG 20/50 series to latest versions.
- Restrict the WEB administration interface of your ZyXel USG devices to trusted source IP and domain only.
2. Threat Hunting Tools
We have prepared a vulnerability scanner and two SNORT rule for our customer. Contact us for the tools if you have subscribed to our ThreatVision.
Vulnerability Scanner
Zyxel ZyWall USG has different models and product lines with different patch status. We have prepare a vulnerability scanner for our customers to check if your Zyxel ZyWall USG device is vulenrabile to T5-VUL-11705.
SNORT Rules
As the vulnerabilities have been actively exploited by the threat actors, TeamT5 prepared two SNORT rules for our customers to detect the attack attempts.
Zyxel ZyWall USG is a relatively close platform, making it difficult for Incident Response. Deploy the following two SNORT rules to detect if your Zyxel ZyWall USG devices were under potential attack attempts.
- The first rule will detect potential attack attempts exploiting T5-VUL-11705.
- The second rule will detect potential connection to EmergeBot.
Possible Attack Scenario
Chinese threat actors have actively exploited the vulnerabilities in attacks against entities in Taiwan since July 2023, even though the two vulnerabilities (T5-VUL-11705 and T5-VUL-12195) have not been disclosed publicly. The threat actors deployed malware to the targeted devices and exploited the compromised ZyXel USG devices as botnet.
Specifically, we identified two types of malware in the attack: the open-source hacking tool Microsocks and a newly discovered RAT, EmergeBot.
- The Microsocks [3] is an open-source and lightweight SOCKS5 proxy tool that can be ported on IoT devices in MIPS or ARM architecture. Once exploited by T5-VUL-11705 and T5-VUL-12195, the launcher [4] will execute the Microsocks on ZyXel USG devices. The Microsocks we found in the attack is designed for the MIPS architecture.
- The EmergeBot [5] is a RAT we first identified in the July 2023 attack. EmergeBot is designed for the MIPS architecture and will only be executed when the first 15-byte in the payload is consistent with
3rg3c-27s9-hrl0. We dubbed the RAT EmergeBot based on its feature to build botnet.
Notably, we also found that the actors disabled the firewall via CLI command:
no firewall activate. We recommend our customer check your Zyxel firewall policy and restore the original firewall policy if it was modified. Additionally, we also found that plain text administrator credentials of Zyxel firewalls were leaked though T5-VUL-11705. We recommend our customer change the administator passwords of Zyxel firewalls.Appendix I: More about T5-VUL-11705 and T5-VUL-12195
Below table is an excerpt of another upcoming new series, Patch Management Report (PMR). Published every two weeks (or more), the PMR will provide our customers with concise yet comprehensive updates on the most critical and exploitable vulnerabilities selected by TeamT5 vulnerability research team during the period. Each vulnerability will be provided with patch information. If you are interested in subscribing to this new report series, please contact TeamT5 for more information.
T5-VUL-11705 and T5-VUL-12195
| CVE | Vendor | CVSS | Description | Threat Level | Date | Patch | Reference |
|---|---|---|---|---|---|---|---|
| T5-VUL-11705 | ZyXelZyWALL USG Series | 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | ZyXel ZyWALL USG series have SSRF (Server-side request forgery) vulnerability that allows threat actors to bypass authenticaton and leak credential. | HIGH | 2023-07-31 2023-09-18 | Detailshttps://community.zyxel.com/en/discussion/4247/zywall-usg-series-v3-30p9-wk48-firmware-released | N/A |
| T5-VUL-12195 | ZyXelZywall USG Series | 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | ZyXel ZyWALL USG Series Authenticated Command Injection Vulnerability | HIGH | 2023-07-31 2023-09-18 | Detailshttps://community.zyxel.com/en/discussion/4247/ZyWALL-usg-series-v3-30p9-wk48-firmware-released | N/A |
Appendix II: Malware Table
| Name | Type | Description | Attribution | First Seen |
|---|---|---|---|---|
| Microsocks | Hacking Tool | Microsocks is an open-source SOCKS5 proxy tools, and it is lightweight to port on IoT devices in MIPS and ARM architecture, and it has been ported to ZyXel firewall massively in Taiwan by Chinese actors since July 2023. | Open-source | 2023.07 |
| EmergeBot | RAT | EmergeBot has been deployed by a Chinese actor on IoT devices such as firewall, WIFI router, etc, and it has been exploited to build botnet in Taiwan since July 2023. | Unknown | 2023.07 |
Appendix III: Indicators of Compromise (IoC)
SHA-256
3D6209705E75A79FF38EB8941DF4FA67F47FC758A8F909B98ED6983F67C89A79
4E32C7CEB09F7CD612CFEEB4F291968455453C3B4A45EFC2C1D297295D9AD061
9B59CB890949017B07D93B4BCFAF0A7372829C6892E49ACE8A9B793563869358Note
- SHA-256: 4E32C7CEB09F7CD612CFEEB4F291968455453C3B4A45EFC2C1D297295D9AD061
- SHA-256: 9B59CB890949017B07D93B4BCFAF0A7372829C6892E49ACE8A9B793563869358
- SHA-256: 3D6209705E75A79FF38EB8941DF4FA67F47FC758A8F909B98ED6983F67C89A79
*Banner source: pixabay
Related Post
Products & Services
2023.10.16
What is Vulnerability Research?
vulnerability research