TAG cybersecurity experts: The breadth of targets in those campaigns stands in contrast to many government-backed operations.
Cybercrime actors are exploiting actively the Zyxel vulnerability. The cybersecurity experts: The company patched the hardcoded credential flaw, but someone is scanning for SSH devices and attempt login with Zyxel backdoor credentials
Cybercrime actors are exploiting the hardcoded credential backdoor in Zyxel firewalls and AP controllers, discovered last month by Niels Teusink of Dutch cybersecurity firm EYE. According to Bleeping Computer, this secret ‘zyfwp’ account allowed users to login via SSH and the web interface to gain administrator privileges. The company recently patched the vulnerability, but in the last days GreyNoise detected three different IP addresses actively scanning for SSH devices and attempting to login to them using the Zyxel backdoor credentials. The threat actor does not appear to be scanning specifically for Zyxel devices but is instead scanning the Internet for IP addresses running SSH. When SSH is detected, it will attempt to brute force an account on the device, with one of the credentials tested being the new ‘zyfwp’ backdoor account.