Ethical Hacking News
The Helldown ransomware operation has been making headlines for its exploits against corporate networks through vulnerabilities in Zyxel firewalls, allowing attackers to steal data and encrypt devices. With 31 victims listed on its recently-renewed extortion portal as of November 7, 2024, this group is growing concern for corporate networks, highlighting the need for vigilance and proactive measures to prevent attacks.
Helldown ransomware has been targeting corporate networks through vulnerabilities in Zyxel firewalls, allowing attackers to steal data and encrypt devices. The threat actors are using a malicious account named 'OKSDW82A' and configuration file ('zzz1.conf') to breach MIPS-based devices, possibly Zyxel firewalls. Researchers believe Helldown might be exploiting CVE-2024-42057, a command injection in IPSec VPN that allows unauthenticated attackers to execute OS commands. The issue was fixed with firmware version 5.39, but the group is suspected of having access to private n-day exploits. Helldown publishes large data packs on its website, reaching up to 431GB in one instance, and uses batch files to end tasks instead of incorporating malware functionality directly. The ransom note relies on a generic approach with random victim strings used as file extensions and filenames. As of November 7, 2024, the threat group listed 28 victims, potentially indicating some had paid a ransom.
Helldown ransomware, a relatively new player in the threat landscape, has been making headlines for its exploits against corporate networks. In recent weeks, reports have surfaced of this group breaching networks through vulnerabilities in Zyxel firewalls, allowing them to steal sensitive data and encrypt devices. French cybersecurity firm Sekoia is reporting on this with medium confidence based on their observations of Helldown attacks.
According to Sekoia, the Helldown ransomware operation is believed to be targeting vulnerabilities in Zyxel firewalls to breach corporate networks, allowing the attackers to access domain controllers, move laterally, and turn off endpoint defenses. The threat actors are utilizing a malicious account named 'OKSDW82A' and configuration file ('zzz1.conf') used as part of an attack targeting MIPS-based devices, possibly Zyxel firewalls.
Researchers at Sekoia have discovered reports of the creation of suspicious user account 'OKSDW82A' and configuration file 'zzz1.conf' on Zyxel forums, where the device's admins reported they were using firmware version 5.38. Based on this information, Sekoia hypothesizes that Helldown might be using CVE-2024-42057, a command injection in IPSec VPN that allows an unauthenticated attacker to execute OS commands with a crafted long username in User-Based-PSK mode.
The issue was fixed on September 3 with the release of firmware version 5.39, and exploitation details have not been made public as of yet, so Helldown is suspected of having access to private n-day exploits. Furthermore, Sekoia discovered payloads uploaded to VirusTotal from Russia between October 17 and 22, but the payload was incomplete.
"It contains a base64-encoded string which, when decoded, reveals an ELF binary for the MIPS architecture," explains Sekoia researcher Jeremy Scion. "The payload, however, appears to be incomplete. Sekoia assesses with medium confidence this file is likely connected to the previously mentioned Zyxel compromise."
Sekoia's researchers have also discovered that Helldown is not as selective in the data it steals as other groups following more efficient tactics and publishes large data packs on its website, reaching up to 431GB in one instance. One of the victims listed is Zyxel Europe, a networking and cybersecurity solutions provider.
The group's encryptors do not appear to be very advanced, with the threat actors utilizing batch files to end tasks rather than incorporating this functionality directly into the malware. When encrypting files, the threat actors will generate a random victim string, such as "FGqogsxF," which will be used as the extension for encrypted files.
The ransom note also uses this victim string in its filename, like "Readme.FGqogsxF.txt." This demonstrates that Helldown is not attempting to create sophisticated and personalized ransom demands, but rather relying on a generic approach to extort its victims.
As of November 7, 2024, the threat group listed 31 victims on its recently-renewed extortion portal, primarily small and medium-sized firms based in the United States and Europe. However, the number has decreased to 28, potentially indicating some had paid a ransom.
The Helldown ransomware operation is noteworthy for its ability to exploit vulnerabilities in Zyxel firewalls, allowing it to breach corporate networks and steal sensitive data. This highlights the importance of regularly updating firmware versions and being cautious when using third-party VPN services.
In conclusion, the Helldown ransomware operation is a growing concern for corporate networks, and its exploits highlight the need for vigilance and proactive measures to prevent attacks. As researchers continue to investigate this threat, it is essential to stay informed about the latest developments and best practices for securing networks against similar attacks.
Related Information:
https://www.bleepingcomputer.com/news/security/helldown-ransomware-exploits-zyxel-vpn-flaw-to-breach-networks/
Published: Tue Nov 19 11:42:45 2024 by llama3.2 3B Q4_K_M
