Fraud Management & Cybercrime , Network Firewalls, Network Access Control , Ransomware

Helldown Ransomware Group Tied to Zyxel's Firewall Exploits

Firewall Vendor Warns Attackers Using Valid Credentials They Previously Stole
Helldown Ransomware Group Tied to Zyxel's Firewall Exploits
Image: Shutterstock

Attackers wielding an emerging strain of ransomware called Helldown have been gaining a foothold in victims' networks by exploiting Zyxel firewalls, security researchers warn.

See Also: OnDemand Webinar | Protect Your Amazon S3 Data: Why Versioning, Replication, and AWS Backup are Not Enough

The Helldown operation has claimed 31 victims over the past three months, largely by using a Windows version of its crypto-locking malware, together with a data-leak site where it attempts to name and shame victims, French cybersecurity software company Sekoia said Tuesday.

Tactics tied to the ransomware group have included targeting a previously unknown flaw in Zyxel ATP firewalls, tracked as CVE-2024-42057.

"Compromising firewalls or VPN gateways is a common entry technique for ransomware groups, as it provides a foothold to an organization's systems through equipment that is often poorly monitored and offers access to critical resources," Sekoia said.

Zyxel first publicly disclosed the vulnerability on Sept. 3, warning that a "command injection vulnerability in the IPSec VPN feature of some firewall versions could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device."

Last month, Zyxel further warned that attackers appear to have been using credentials they stole by exploiting previous vulnerabilities to still gain remote access to customers' now-patched security appliances.

"Based on our investigation, the threat actors were able to steal valid credentials information from previous vulnerabilities and such credentials were not changed, allowing them to now create SSL VPN tunnels with temporary users, such as 'SUPPOR87', 'SUPPOR817' or 'vpn', and modify the security policies to provide them with access to the device and network," it said.

How Helldown-wielding attackers discovered or learned of the flaw isn't clear. The ransomware first came to light over the summer. In September, security firm Cyfirma detailed an August surge in claimed victims by Helldown, which it said was "exploiting vulnerabilities to infiltrate networks and disable security measures, targeting IT services, telecommunications and manufacturing sectors." Following in the double-extortion footprints of numerous other ransomware groups, the attackers regularly stole data and threatened to release it unless victims paid a ransom.

Whether the group's stated victims are legitimate or if any of its victims have ever paid it a ransom, remains unclear.

The group has continued to refine its malware. On Oct. 31, security researcher Alex Turing first detailed a version of Helldown ransomware designed to infect Linux, "zeroing in on VMware virtual platforms."

The ransomware group isn't yet part of the big leagues. For comparison's sake, from July through September of this year, security firm ReliaQuest reported that the strain of ransomware that claimed the most victims - numbering 195 organizations in that timeframe - was RansomHub, which "has significantly upped its game by teaming up with the hacking group Scattered Spider." While security researchers urge treating claimed victims with a heavy pinch of salt, they do use them to try and compare and contrast which groups are most active (see: Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them).

While Helldown isn't a major player, what differentiates it from other, minor groups has been its access to a previously unknown flaw present in a widely used type of edge device, said Jeremy Scion, security engineer at Sekoia.

"The threat actor is not necessarily very sophisticated nor unique in its operational methods," he told Information Security Media Group. "What makes it 'sophisticated/threatening' is that it has access to exploit code for an undocumented/non-public vulnerability."

In one such intrusion, documented by security firm Trusec on Nov. 7, the attacker used a local, externally facing account in a Zyxel firewall and then used "the domain controller's LDAP synchronization credentials to pivot further into the network," including gaining full access to Active Directory. After that, the attacker deployed a hellenc.exe encryptor on multiple endpoints, which forcibly encrypted multiple files on each system, then removed itself and rebooted the endpoints, leaving a ransom note on their desktops.

Helldown claims on its leak site to have exfiltrated anywhere from 22 gigabytes to 431 gigabytes of data from individual victims. These claims could not be confirmed. Sekoia said even if the ransomware group did attempt to leak such large quantities of data via its leak site, whether anyone could practically download it remains questionable, given the slow speed of downloads from the dark web.

Sekoia said Helldown's encryptor and tactics have strong similarities with a previously seen type of ransomware called DarkRace, which is based on leaked LockBit code and first appeared in May 2023. It appears to be connected to another strain of ransomware - possibly a DarkRace rebrand - called Donex that emerged in February. A free decryptor for DarkRace and Donex was released in April, and both operations appear to have since gone dormant.

"Given DarkRace and Donex's history of rebranding and their significant similarities to Helldown, the possibility of Helldown being another rebrand cannot be dismissed," Sekoia said.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing fraudtoday.io, you agree to our use of cookies.