Cyber criminals scan the Web, hoping to find open SSH devices and infiltrate them using hard-coded credentials. We are talking about the so-called backdoor account patched the other day by Zyxel .
As a reminder, a cybersecurity specialist EYE recently found a hidden account in more than one hundred firewalls, VPN gateways and Zyxel access point controllers.
In an official post, the tech giant explained that the backdoor account was used to deliver automatic firmware updates via FTP. The problem is that a hidden account allows attackers to create VPN accounts and gain access to internal networks.
It is quite obvious that after the publication of information about the hidden backdoor, attackers began to look for vulnerable devices. Researchers at GreyNoise found three different IP addresses that were trying to break into systems using the credentials of a backdoor account. The experts noted that cybercriminals are looking not only for Zyxel devices, but in general for IPs running SSH. If they manage to find a target that meets the criteria, they start brute-force.
Fortunately, Zyxel has already released the “ZLD V4.60 Patch 1” update, which removes the hidden account on firewalls. The same patch for access point controllers is due out tomorrow, January 8th.