The Zyxel Hack: Why VPNs are an Open Door for Cyber Attacks

Sep 6, 2021

If you like to keep track of what’s going on in data protection, you’ve probably noticed the game of ‘security tag’ between hackers and network companies.  With more and more companies implementing remote working practices, largely accelerated by Covid, intelligent hackers have identified and targeted the VPN as an easy entry point to organizational data.  And, while network providers are continually taking security measures to keep their offerings as protected as possible, hackers are simultaneously becoming more sophisticated in their attempts to override them.

Zyxel, a manufacturer of enterprise routers and VPN devices found that they were no exception. They recently issued an alert announcing that attackers were targeting their devices and changing configurations to gain remote access to their networks.

How did they do it? Via WAN.

After successfully gaining access via the WAN, the hackers then logged in with stolen valid credentials, bypassed authentication, and ultimately, established SSL VPN tunnels using existing or newly created user accounts to manipulate device configuration. This of course resulted in Zyxel firewalls customers being totally exposed.

How did this happen?

This most likely came about via a hardcoded admin backdoor account in one of Zyxels firmware binaries, which left a whopping 100,000 firewalls and VPNs wide open to all sorts of potential information theft. As a result, Zyxel had to advise all its customer’s admins to take drastic, time-consuming, resource-intensive, and costly security measures. Among them:

  • Delete all unknown admin and user accounts
  • Delete unknown firewall rules and routing policies
  • Disable HTTP and HTTPS services from the WAN side
  • Restrict access to trusted source internet addresses only
  • Enable GeoIP filtering
  • Change passwords and set up two-factor authentication

Zero Trust Network Access (ZTNA) could have prevented ALL of that.

ZTNA and VPN – better together

The main problem with only having VPN access without ZTNA is that these particularly intelligent hackers were able to bypass the system directly, via the VPN. With ZTNA, they would have had to go through an authentication first process, before gaining access. An extra lock and key if you like. With VPN only, the hackers were able to quickly bypass the system leaving the entire network exposed.

So how does ZTNA work exactly?

ZTNA works by separating the identification process from the access event, thereby distancing the VPN’s ‘weak spots’ from the organization.  This means that even if a hacker succeeds in bypassing the VPN, he/she would still need to go through a multi-factor authentication (MFA) component, essentially stopping them in their tracks, before entry.

ZoneZero® Zero Trust Network Access (ZTNA) solution

ZoneZero®, Safe-T’s NextGen cloud and on-premises ZTNA solutions ensure that all organizational access use cases, both incoming and outgoing, are fully secured, according to a “validate first, access later” protocol.  No-one is trusted by default from either inside or outside the network, and verification is required from every identity wishing to gain access to resources on the network or in the cloud. In short –

ZoneZero® helps organizations to adopt more effective security, based on a “never trust, always verify” principle.

The First ever Zero Trust Access Orchestration Platform

Fully transparent and simple to deploy, Safe-T provides an innovative and unique network-centric ability to implement ZTNA within corporate networks.  Working side-by-side and in conjunction with all access points (VPNs and firewalls), identity security solutions and application services, Safe-T’s ZTNA enables seamless integration across all legacy infrastructure and authentication services.

ZoneZero® addresses all remote access scenarios and requirements to support the following access scenarios:

Remote access users (non-VPN)

ZoneZero® enables organizations to implement ZTNA and provide secure and transparent access to any internal application, service, and data in parallel or in replacement of an existing VPN. Based on patented reverse-access technology, ZoneZero® is a clientless solution, eliminating the need to open incoming ports in an organization’s firewall for seamless, effective, and secure operations.

VPN users

Powered by patented reverse-access technology, ZoneZero® uniquely enables ZTNA on existing VPN infrastructures through application-layer policy monitoring and enforcement, MFA integration to any application or service for continuous authentication with MFA, and true separation of the data plane and control plain – all on top of existing infrastructures.

Internal network users

ZoneZero® also operates as a ZTNA solution for internal users, providing identity-based segmentation and multi-factor authentication for any internal application for secure access control in addition to supporting both non-web protocols and legacy infrastructure. With ZoneZero®, organizations can easily integrate multi-factor authentication and continuous identity verification for all applications.

Dafna Lipowicz

VP of Human Resources

In her role, Dafna leads all HR activities at Safe-T, including: partnering with management team to advance and support the company vision and strategy, developing strategic HR plans and policies (training, compensation and benefits, etc.), organizational and managers development, recruitment and welfare. Dafna brings to Safe-T more than 17 years of experience in various HR managerial roles, in global and complex organizations as well as in growing start-ups (such as SanDisk, Logic Industries and Mantis Vision), specializing in establishing and leading HR departments, initiating and building organizational development, according to company strategy, management consultant, talent management and recruitment. Dafna holds both an LLB and an MA in Labor Studies from Tel Aviv University. She is also a certified mediator and group facilitator.

Request a Demo

  • This field is for validation purposes and should be left unchanged.