Skip to content

The Zyxel Hack: Why VPNs are an Open Door for Cyber Attacks

If you like to keep track of what’s going on in data protection, you’ve probably noticed the game of ‘security tag’ between hackers and network companies.  With more and more companies implementing remote working practices, largely accelerated by Covid, intelligent hackers have identified and targeted the VPN as an easy entry point to organizational data.  And, while network providers are continually taking security measures to keep their offerings as protected as possible, hackers are simultaneously becoming more sophisticated in their attempts to override them.

Zyxel, a manufacturer of enterprise routers and VPN devices found that they were no exception. They recently issued an alert announcing that attackers were targeting their devices and changing configurations to gain remote access to their networks.

How did they do it? Via WAN.

After successfully gaining access via the WAN, the hackers then logged in with stolen valid credentials, bypassed authentication, and ultimately, established SSL VPN tunnels using existing or newly created user accounts to manipulate device configuration. This of course resulted in Zyxel firewalls customers being totally exposed.

How did this happen?

This most likely came about via a hardcoded admin backdoor account in one of Zyxels firmware binaries, which left a whopping 100,000 firewalls and VPNs wide open to all sorts of potential information theft. As a result, Zyxel had to advise all its customer’s admins to take drastic, time-consuming, resource-intensive, and costly security measures. Among them:

  • Delete all unknown admin and user accounts
  • Delete unknown firewall rules and routing policies
  • Disable HTTP and HTTPS services from the WAN side
  • Restrict access to trusted source internet addresses only
  • Enable GeoIP filtering
  • Change passwords and set up two-factor authentication

Zero Trust Network Access (ZTNA) could have prevented ALL of that.

ZTNA and VPN – better together

The main problem with only having VPN access without ZTNA is that these particularly intelligent hackers were able to bypass the system directly, via the VPN. With ZTNA, they would have had to go through an authentication first process, before gaining access. An extra lock and key if you like. With VPN only, the hackers were able to quickly bypass the system leaving the entire network exposed.

So how does ZTNA work exactly?

ZTNA works by separating the identification process from the access event, thereby distancing the VPN’s ‘weak spots’ from the organization.  This means that even if a hacker succeeds in bypassing the VPN, he/she would still need to go through a multi-factor authentication (MFA) component, essentially stopping them in their tracks, before entry.

ZoneZero® Zero Trust Network Access (ZTNA) solution

ZoneZero®, Safe-T’s NextGen cloud and on-premises ZTNA solutions ensure that all organizational access use cases, both incoming and outgoing, are fully secured, according to a “validate first, access later” protocol.  No-one is trusted by default from either inside or outside the network, and verification is required from every identity wishing to gain access to resources on the network or in the cloud. In short –

ZoneZero® helps organizations to adopt more effective security, based on a “never trust, always verify” principle.

The First ever Zero Trust Access Orchestration Platform

Fully transparent and simple to deploy, Safe-T provides an innovative and unique network-centric ability to implement ZTNA within corporate networks.  Working side-by-side and in conjunction with all access points (VPNs and firewalls), identity security solutions and application services, Safe-T’s ZTNA enables seamless integration across all legacy infrastructure and authentication services.

ZoneZero® addresses all remote access scenarios and requirements to support the following access scenarios:

Remote access users (non-VPN)
ZoneZero® enables organizations to implement ZTNA and provide secure and transparent access to any internal application, service, and data in parallel or in replacement of an existing VPN. Based on patented reverse-access technology, ZoneZero® is a clientless solution, eliminating the need to open incoming ports in an organization’s firewall for seamless, effective, and secure operations.

VPN users
Powered by patented reverse-access technology, ZoneZero® uniquely enables ZTNA on existing VPN infrastructures through application-layer policy monitoring and enforcement, MFA integration to any application or service for continuous authentication with MFA, and true separation of the data plane and control plain – all on top of existing infrastructures.

Internal network users
ZoneZero® also operates as a ZTNA solution for internal users, providing identity-based segmentation and multi-factor authentication for any internal application for secure access control in addition to supporting both non-web protocols and legacy infrastructure. With ZoneZero®, organizations can easily integrate multi-factor authentication and continuous identity verification for all applications.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Safe-T® Group Ltd.
Safe-T Group Ltd. (Nasdaq, TASE: SFET) is a provider of Zero Trust Access solutions which mitigate attacks on enterprises’ business-critical services and sensitive data, while ensuring uninterrupted business continuity. Safe-T’s cloud and on-premises solutions ensure that an organization’s access use cases, whether into the organization or from the organization out to the internet, are secured according to the “validate first, access later” philosophy of Zero Trust. This means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network or in the cloud.

Safe-T’s wide range of access solutions reduce organizations’ attack surface and improve their ability to defend against modern cyberthreats. As an additional layer of security, our integrated business-grade global proxy solution cloud service enables smooth and efficient traffic flow, interruption-free service, unlimited concurrent connections, instant scaling and simple integration with our services.

With Safe-T’s patented reverse-access technology and proprietary routing technology, organizations of all size and type can secure their data, services and networks against internal and external threats.