本篇文章中，TeamT5 杜浦數位安全針對 Zyxel ZyWall USG 20/50 防火牆服務的兩個漏洞，釋出緩解與回應指南。這兩個漏洞已被開採、流傳，並被 TeamT5 漏洞研究團隊偵測到。我們現以編號「T5-VUL-11705」、「T5-VUL-12195」稱之，並進行追蹤。經我們的調查，威脅行動者可利用「T5-VUL-11705」、「T5-VUL-12195」入侵 Zyxel ZyWall，且濫用該設備為殭屍網路（botnet）。
若為 TeamT5 威脅情資平台 – ThreatVision 的用戶，現可閱讀漏洞情資報告（Vulnerability Insights Report）之「VIR 2023 September H1: T5-VUL-11705」，該報告提供詳細說明，協助使用者減輕這些關鍵且高度可利用的漏洞所造成的威脅。本文則摘錄前述報告的基本說明與緩解方式，初步協助使用者應對漏洞威脅。
T5-VUL-11705 is a server-side request forgery (SSRF) vulnerability that allows threat actors to bypass authentication and steal credential. T5-VUL-12195 is an authenticated command injection vulnerability. When combined the use of T5-VUL-11705 and T5-VUL-12195, the threat actors can use unauthenticated users to achieve remote code execution (RCE).
We assess the severity level of T5-VUL-11705 and T5-VUL-12195 as critical and urge our customers to use this report to mitigate the effects. Zyxel ZyWall USG is a firewall service with VPN functionality. Public research suggests that over 20,000 devices are vulnerable to both vulnerabilities, including over 1,500 devices in Taiwan. Furthermore, both vulnerabilities were fully weaponized. Chinese threat actors have exploited both vulnerabilities, targeting entities in Taiwan and deploying the compromised devices as botnets since July 2023. We detailed the information in Exploitation Status.
Based on the current exploitation status of T5-VUL-11705 and T5-VUL-12195, we have depicted the Possible Attack Scenario in this report. Moreover, we identified that the threat actors have deployed botnet malware, which we dubbed EmergeBot, after exploiting the vulnerabilities in Zyxel ZyWall. We concluded the malware introduction and IoCs in Appendix II: Malware Table and Appendix III: Indicators of Compromise (IoC). Most importantly, we prepare a comprehensive Mitigation and Response Advisory for our customers.
The Mitigation Advisory includes:
Official Patch Information
- Threat Hunting Tools, including:
- A Vulnerability Scanner
- Two Snort Rules
- The first rule will detect potential attack attempts of T5-VUL-11705.
- The second rule will detect potential connection of EmergeBot.
The vulnerabilities have affected a board version of Zyxel ZyWall USG models.
- Public research suggests that over 20,000 Zyxel ZyWall USG devices worldwide are affected, including over 1,500 devices in Taiwan.
- Since July 2023, Chinese threat actors have exploited the vulnerabilities in the Zyxel ZyWall USG-20/50 series targeting entities in Taiwan.
- According to our analysis, the threat actors deployed at least two malware, Microsocks and EmergeBot, for botnet attacks.
The latest version  of the Zyxel ZyWall USG 20/50 series has patched T5-VUL-11705, while the latest version of model USG20 and USG50 are still vulnerable to T5-VUL-12195. Moreover, the USG 20 series are already End-of-Life (EOL) products: Zyxel will not provide updates for the product line in the future. 
|USG20 (3.30 BDS)||USG50 (3.30 BDQ)||USG60 (V4.73(AAKY.2)C0)|
Mitigation and Response Advisory
1. Official Patch Information
To mitigate the impact of the vulnerabilities, we highly recommend our customers follow the instructions below:
- Upgrade your Zyxel USG 20/50 series to latest versions.
- Restrict the WEB administration interface of your ZyXel USG devices to trusted source IP and domain only.
2. Threat Hunting Tools
We have prepared a vulnerability scanner and two SNORT rule for our customer. Contact us for the tools if you have subscribed to our ThreatVision.
Zyxel ZyWall USG has different models and product lines with different patch status. We have prepare a vulnerability scanner for our customers to check if your Zyxel ZyWall USG device is vulenrabile to T5-VUL-11705.
As the vulnerabilities have been actively exploited by the threat actors, TeamT5 prepared two SNORT rules for our customers to detect the attack attempts.
Zyxel ZyWall USG is a relatively close platform, making it difficult for Incident Response. Deploy the following two SNORT rules to detect if your Zyxel ZyWall USG devices were under potential attack attempts.
- The first rule will detect potential attack attempts exploiting T5-VUL-11705.
- The second rule will detect potential connection to EmergeBot.
Possible Attack Scenario
Chinese threat actors have actively exploited the vulnerabilities in attacks against entities in Taiwan since July 2023, even though the two vulnerabilities (T5-VUL-11705 and T5-VUL-12195) have not been disclosed publicly. The threat actors deployed malware to the targeted devices and exploited the compromised ZyXel USG devices as botnet.
Specifically, we identified two types of malware in the attack: the open-source hacking tool Microsocks and a newly discovered RAT, EmergeBot.
- The Microsocks  is an open-source and lightweight SOCKS5 proxy tool that can be ported on IoT devices in MIPS or ARM architecture. Once exploited by T5-VUL-11705 and T5-VUL-12195, the launcher  will execute the Microsocks on ZyXel USG devices. The Microsocks we found in the attack is designed for the MIPS architecture.
- The EmergeBot  is a RAT we first identified in the July 2023 attack. EmergeBot is designed for the MIPS architecture and will only be executed when the first 15-byte in the payload is consistent with
3rg3c-27s9-hrl0. We dubbed the RAT EmergeBot based on its feature to build botnet.
Notably, we also found that the actors disabled the firewall via CLI command:
no firewall activate. We recommend our customer check your Zyxel firewall policy and restore the original firewall policy if it was modified. Additionally, we also found that plain text administrator credentials of Zyxel firewalls were leaked though T5-VUL-11705. We recommend our customer change the administator passwords of Zyxel firewalls.
Appendix I: More about T5-VUL-11705 and T5-VUL-12195
Below table is an excerpt of another upcoming new series, Patch Management Report (PMR). Published every two weeks (or more), the PMR will provide our customers with concise yet comprehensive updates on the most critical and exploitable vulnerabilities selected by TeamT5 vulnerability research team during the period. Each vulnerability will be provided with patch information. If you are interested in subscribing to this new report series, please contact TeamT5 for more information.
T5-VUL-11705 and T5-VUL-12195
ZyXelZyWALL USG Series
|ZyXel ZyWALL USG series have SSRF (Server-side request forgery) vulnerability that allows threat actors to bypass authenticaton and leak credential.||HIGH||2023-07-31|
ZyXelZywall USG Series
|ZyXel ZyWALL USG Series Authenticated Command Injection Vulnerability||HIGH||2023-07-31|
Appendix II: Malware Table
|Microsocks||Hacking Tool||Microsocks is an open-source SOCKS5 proxy tools, and it is lightweight to port on IoT devices in MIPS and ARM architecture, and it has been ported to ZyXel firewall massively in Taiwan by Chinese actors since July 2023.||Open-source||2023.07|
|EmergeBot||RAT||EmergeBot has been deployed by a Chinese actor on IoT devices such as firewall, WIFI router, etc, and it has been exploited to build botnet in Taiwan since July 2023.||Unknown||2023.07|
Appendix III: Indicators of Compromise (IoC)
3D6209705E75A79FF38EB8941DF4FA67F47FC758A8F909B98ED6983F67C89A79 4E32C7CEB09F7CD612CFEEB4F291968455453C3B4A45EFC2C1D297295D9AD061 9B59CB890949017B07D93B4BCFAF0A7372829C6892E49ACE8A9B793563869358
- SHA-256: 4E32C7CEB09F7CD612CFEEB4F291968455453C3B4A45EFC2C1D297295D9AD061
- SHA-256: 9B59CB890949017B07D93B4BCFAF0A7372829C6892E49ACE8A9B793563869358
- SHA-256: 3D6209705E75A79FF38EB8941DF4FA67F47FC758A8F909B98ED6983F67C89A79