TeamT5 威脅分析師高峰會(TAS) 即將登場!

【漏洞揭露】Zyxel ZyWall USG 20/50 防火牆服務(T5-VUL-11705 & T5-VUL-12195)

2023.10.18Cyber Threat Intelligence
本篇文章中,TeamT5 杜浦數位安全針對 Zyxel ZyWall USG 20/50 防火牆服務的兩個漏洞,釋出緩解與回應指南。這兩個漏洞已被開採、流傳,並被 TeamT5 漏洞研究團隊偵測到。我們現以編號「T5-VUL-11705」、「T5-VUL-12195」稱之,並進行追蹤。經我們的調查,威脅行動者可利用「T5-VUL-11705」、「T5-VUL-12195」入侵 Zyxel ZyWall,且濫用該設備為殭屍網路(botnet)。

若為 TeamT5 威脅情資平台 – ThreatVision 的用戶,現可閱讀漏洞情資報告(Vulnerability Insights Report)之「VIR 2023 September H1: T5-VUL-11705」,該報告提供詳細說明,協助使用者減輕這些關鍵且高度可利用的漏洞所造成的威脅。本文則摘錄前述報告的基本說明與緩解方式,初步協助使用者應對漏洞威脅。

Executive Summary

T5-VUL-11705 is a server-side request forgery (SSRF) vulnerability that allows threat actors to bypass authentication and steal credential. T5-VUL-12195 is an authenticated command injection vulnerability. When combined the use of T5-VUL-11705 and T5-VUL-12195, the threat actors can use unauthenticated users to achieve remote code execution (RCE).
We assess the severity level of T5-VUL-11705 and T5-VUL-12195 as critical and urge our customers to use this report to mitigate the effects. Zyxel ZyWall USG is a firewall service with VPN functionality. Public research suggests that over 20,000 devices are vulnerable to both vulnerabilities, including over 1,500 devices in Taiwan. Furthermore, both vulnerabilities were fully weaponized. Chinese threat actors have exploited both vulnerabilities, targeting entities in Taiwan and deploying the compromised devices as botnets since July 2023. We detailed the information in Exploitation Status.
Based on the current exploitation status of T5-VUL-11705 and T5-VUL-12195, we have depicted the Possible Attack Scenario in this report. Moreover, we identified that the threat actors have deployed botnet malware, which we dubbed EmergeBot, after exploiting the vulnerabilities in Zyxel ZyWall. We concluded the malware introduction and IoCs in Appendix II: Malware Table and Appendix III: Indicators of Compromise (IoC). Most importantly, we prepare a comprehensive Mitigation and Response Advisory for our customers.
The Mitigation Advisory includes:
Official Patch Information
  • Threat Hunting Tools, including:
  • A Vulnerability Scanner
    • Two Snort Rules
      • The first rule will detect potential attack attempts of T5-VUL-11705.
      • The second rule will detect potential connection of EmergeBot.

Exploitation Status

The vulnerabilities have affected a board version of Zyxel ZyWall USG models.
  • Public research suggests that over 20,000 Zyxel ZyWall USG devices worldwide are affected, including over 1,500 devices in Taiwan.
  • Since July 2023, Chinese threat actors have exploited the vulnerabilities in the Zyxel ZyWall USG-20/50 series targeting entities in Taiwan.
  • According to our analysis, the threat actors deployed at least two malware, Microsocks and EmergeBot, for botnet attacks.

Patch Status

The latest version [1] of the Zyxel ZyWall USG 20/50 series has patched T5-VUL-11705, while the latest version of model USG20 and USG50 are still vulnerable to T5-VUL-12195. Moreover, the USG 20 series are already End-of-Life (EOL) products: Zyxel will not provide updates for the product line in the future. [2]
USG20 (3.30 BDS)USG50 (3.30 BDQ)USG60 (V4.73(AAKY.2)C0)

Mitigation and Response Advisory

1. Official Patch Information

To mitigate the impact of the vulnerabilities, we highly recommend our customers follow the instructions below:

2. Threat Hunting Tools

We have prepared a vulnerability scanner and two SNORT rule for our customer. Contact us for the tools if you have subscribed to our ThreatVision.
Vulnerability Scanner
Zyxel ZyWall USG has different models and product lines with different patch status. We have prepare a vulnerability scanner for our customers to check if your Zyxel ZyWall USG device is vulenrabile to T5-VUL-11705.
As the vulnerabilities have been actively exploited by the threat actors, TeamT5 prepared two SNORT rules for our customers to detect the attack attempts.
Zyxel ZyWall USG is a relatively close platform, making it difficult for Incident Response. Deploy the following two SNORT rules to detect if your Zyxel ZyWall USG devices were under potential attack attempts.
  • The first rule will detect potential attack attempts exploiting T5-VUL-11705.
  • The second rule will detect potential connection to EmergeBot.

Possible Attack Scenario

Chinese threat actors have actively exploited the vulnerabilities in attacks against entities in Taiwan since July 2023, even though the two vulnerabilities (T5-VUL-11705 and T5-VUL-12195) have not been disclosed publicly. The threat actors deployed malware to the targeted devices and exploited the compromised ZyXel USG devices as botnet.
Specifically, we identified two types of malware in the attack: the open-source hacking tool Microsocks and a newly discovered RAT, EmergeBot.
  • The Microsocks [3] is an open-source and lightweight SOCKS5 proxy tool that can be ported on IoT devices in MIPS or ARM architecture. Once exploited by T5-VUL-11705 and T5-VUL-12195, the launcher [4] will execute the Microsocks on ZyXel USG devices. The Microsocks we found in the attack is designed for the MIPS architecture.
  • The EmergeBot [5] is a RAT we first identified in the July 2023 attack. EmergeBot is designed for the MIPS architecture and will only be executed when the first 15-byte in the payload is consistent with 3rg3c-27s9-hrl0. We dubbed the RAT EmergeBot based on its feature to build botnet.
Notably, we also found that the actors disabled the firewall via CLI command: no firewall activate. We recommend our customer check your Zyxel firewall policy and restore the original firewall policy if it was modified. Additionally, we also found that plain text administrator credentials of Zyxel firewalls were leaked though T5-VUL-11705. We recommend our customer change the administator passwords of Zyxel firewalls.

Appendix I: More about T5-VUL-11705 and T5-VUL-12195

Below table is an excerpt of another upcoming new series, Patch Management Report (PMR). Published every two weeks (or more), the PMR will provide our customers with concise yet comprehensive updates on the most critical and exploitable vulnerabilities selected by TeamT5 vulnerability research team during the period. Each vulnerability will be provided with patch information. If you are interested in subscribing to this new report series, please contact TeamT5 for more information.

T5-VUL-11705 and T5-VUL-12195

CVEVendorCVSSDescriptionThreat LevelDatePatchReference
ZyXelZyWALL USG Series
ZyXel ZyWALL USG series have SSRF (Server-side request forgery) vulnerability that allows threat actors to bypass authenticaton and leak credential.HIGH2023-07-31
ZyXelZywall USG Series
ZyXel ZyWALL USG Series Authenticated Command Injection VulnerabilityHIGH2023-07-31

Appendix II: Malware Table

NameTypeDescriptionAttributionFirst Seen
MicrosocksHacking ToolMicrosocks is an open-source SOCKS5 proxy tools, and it is lightweight to port on IoT devices in MIPS and ARM architecture, and it has been ported to ZyXel firewall massively in Taiwan by Chinese actors since July 2023.Open-source2023.07
EmergeBotRATEmergeBot has been deployed by a Chinese actor on IoT devices such as firewall, WIFI router, etc, and it has been exploited to build botnet in Taiwan since July 2023. Unknown2023.07

Appendix III: Indicators of Compromise (IoC)

  1. SHA-256: 4E32C7CEB09F7CD612CFEEB4F291968455453C3B4A45EFC2C1D297295D9AD061
  2. SHA-256: 9B59CB890949017B07D93B4BCFAF0A7372829C6892E49ACE8A9B793563869358
  3. SHA-256: 3D6209705E75A79FF38EB8941DF4FA67F47FC758A8F909B98ED6983F67C89A79

*首圖來源: pixabay
2023.10.18Cyber Threat Intelligence

Related Post

為提供您最佳的服務體驗,本網站使用 Cookies。當您使用本網站,即表示您同意 Cookies 技術支援。更多資訊請參閱隱私權與Cookies使用政策。