Zyxel recently announced a security issue concerning its USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware.

An aggressor capable of accessing the admin login from WAN can insert a new routing policy and new backdoor admin users. A full write-up and remediation process can be found here.

Currently, there’s no fix.

In the meantime, here’s how to disable admin access to console from WAN.

WARNING:

Once you take this step, you’ll have to access the web console from LAN so you’ll need to be behind the firewall to address it until you re-enable HTTPS on the WAN Service Group. You’ll want to do this on the LAN using a local machine, or, through using a VPN connection behind the firewall.

1. Login to the Zyxel as Admin.

2. Go to Configuration > Object > Service.

3. Select the Service Groups Tab.

4. Find the Default Allow WAN to Zywall Policy.

If HTTPS is in the Member Service Group, select HTTPS and remove it.

Strike the OK button and the configuration will be saved.

Your Zywall is now protected from the attack.

Recommendations from Here

1. Walk through the remediation article I cited above to see if your Zyxel product was affected by the attack.
   

2. Take the necessary remediation steps or prove that your device wasn’t affected.
   

3. Update your device’s firmware.

My Advice: Don’t trust the Cloud Update procedure inside of the device.

I find the Cloud Update in the GUI misreports highest firmware versions.

Confirm the actual version for your product by logging in to portal.myzyxel.com, accessing My Devices, and attempt to download the latest firmware. Compare version numbers for the active and standby partition.

If you need to update, upload the firmware manually to the standby partition with the option not to reboot when prompted.

The Zyxel should start the upload process (be patient, it’ll take a while) and it shouldn’t reboot on you (I’ve had several USG40’s that rebooted regardless).

If the device doesn’t auto-reboot, afterwards on your own schedule, reboot the device.

It’ll take the newer firmware in the standby partition as active, putting you on the latest release.

As of this time/date, Zyxel doesn’t have a fix yet but you’d want to repeat this procedure to manually update the fix firmware once it’s released. You should then be able to re-add HTTPS to the WAN Service Group.

R

As of July 2020, Microsoft Windows 7 still controls around 20% of total desktop operating systems worldwide.

A couple of reasons why you don’t want to still be using Microsoft Windows 7:

• It’s no longer receiving security updates as Microsoft ended mainstream support for the product in January 2020. That means its existing vulnerabilities are forever; aggressors will be able to exploit those problems forever.
  

• Consequently, the US FBI issued a warning on August 3, 2020 about continuing to use the legacy operating system, as has the UK’s National Cyber Security Centre has directly warned users not to use Windows 7 for commercial activities like email or banking.
  

• If the appeal-to-authority doesn’t work for you, how about money? IBM recently reported that the average cost of a data breach in the United States is $3.86 million.
  

• And, yeah, cyber security insurance. You think you’re covered. It’s not like your cyber security policy is going to cover you if you’re running a known-bad o/s. That’s just raw negligence, kids.

Now, you have options.

• Like Mac’s? After January 2021, Apple will be transitioning to ARM microprocessors. Lots of techie stuff here but the bottom line is that Macs are soon going to get hundreds of dollars cheaper. Cool! Upgrades!
  

• But if don’t have a cool $1k to drop on a new machine, and if you’re married to the Google Cloud Ecosystem, there’s never been a better time to update to a Chromebook or a Chromebox. There’s a lot of great boxes out there, some priced at a 1/3rd of the cost of a comparable Microsoft Windows 10 computer. They boot in eight seconds, they’re encrypted, they receive automatic updates that don’t break them, they are significantly more secure than Windows will ever be … why not?
  

• Okay, so maybe Google ain’t your thing. If you have an older machine still running Windows 7, and you’re comfortable with the machine’s overall performance and still want to use it, and you’re mostly using a web browser to access online services, consider installing Linux. I’d recommend Ubuntu or its cousin, Zorin. They’re more secure than Windows, won’t break your system, and will make the older machines run like they were new.
  

• If you’re still using Microsoft Word and Excel? Are you dependent on some 3rd party application that has to run on Windows? You could upgrade your Windows 7 machine to Windows 10, sure, it’s only a $100. That’s a lot cheaper than $3.86 million. But watch the performance hit. You’d probably be better off just replacing the asset.

Here’s the thing: continuing to use an obsolete product is only making you more vulnerable, and, more of a target to aggressors who look at you and your data as an easy target. There’s no reason why you’d rationally want to be an easier target for hackers. Take action today to replace that old machine. Do something!

R

So a little while ago, I wrote about the risks that remote workers face while working from home.

A recent study of home routers does well to illustrate these vulnerabilities.

In a study entitled Home Router Security Report 2020 conducted by FKIE, it was found that 43/127 commercial routers hadn’t received security updates in the last year from the original equipment manufacturer (OEM), despite the fact that these devices are affected by hundreds of known vulnerabilities. In the worst cases, the devices hadn’t bee updated by the OEM in more than five years.

Over ninety percent of the evaluated routers run versions of the Linux operating system. Yet, the updates provided to the routers fall far behind the standards we’d expect for desktop or server machines running the same operating systems. These vendors could distribute security patches and updates several times a year, but often they do not.

FKIE’s study only complements a 2018 study conducted by American Consumer Institute demonstrating that 83-percent of sampled routers were found to have an average of 186 vulnerabilities to potential attacks in the router’s firmware.

Such evidence suggests:

1. Home router manufacturers aren’t preparing firmware updates in a timely fashion;

2. Users are not applying available updates in a timely fashion, or, may not understand how.

This is a severe problem, especially in the age of COVID as many millions of workers are conducting important commercial business on the backs of outdated router firmware with known bugs.

But you can do better. Hiring a computer consultant to investigate your router, update its firmware, or replace the router, can secure your small business. It’s a practical step in deterring potential aggressors and in safeguarding your information assets. Just ask us how it’s done.

R