A new ransomware threat dubbed “Helldown” has emerged, actively exploiting vulnerabilities in Zyxel firewall devices to breach corporate networks.

Cybersecurity researchers have uncovered evidence linking the Helldown ransomware group to a series of attacks targeting Zyxel firewalls, particularly those using IPSec VPN for remote access.

Evidence of Mullvad VPN being used (Source – Yarix)

The primary vulnerability being exploited is CVE-2024-11667, a directory traversal flaw in the web management interface of Zyxel ZLD firewall firmware versions 5.00 through 5.38.

Evidence of Nord VPN being used (Source – Yarix)

Evidence of Express VPN being used (Source – Yarix)

This high-severity vulnerability, with a CVSS score of 7.5, allows attackers to download or upload files through crafted URLs, potentially leading to unauthorized access and system compromise.

Helldown operators have demonstrated sophisticated tactics, leveraging both Windows and Linux variants of their ransomware.

Yarix analysts discovered that the Windows version, derived from the LockBit 3.0 code, employs advanced techniques such as deleting shadow copies and terminating critical processes before encryption.

While the Linux variant, while less sophisticated, is designed to target VMware ESXi servers, shutting down virtual machines prior to encryption.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free

Attack chain

The attack chain typically begins with exploiting Zyxel firewall vulnerabilities for initial access.

Evidence of firewall policies added by the threat actor (Source – Yarix)

Once inside, the threat actors create malicious user accounts and utilize tools like Mimikatz for credential dumping. They then move laterally within the network using RDP and other remote access tools.

Helldown’s double extortion strategy involves exfiltrating large volumes of sensitive data before encrypting files.

Victims are threatened with data leaks on the group’s dark web portal if ransoms are not paid. The ransomware has claimed at least 31 victims since August 2024, primarily targeting small to medium-sized businesses in the United States and Europe.

The Helldown ransomware employs XML-based configurations to guide its encryption tasks, demonstrating a structured approach to targeting data.

In its Windows variant, the malware utilizes hardcoded keys and performs administrator privilege checks, likely to ensure maximum impact and access.

Notably, the Linux version operates offline, showing no observed network communication, which may help it evade detection.

Additionally, Helldown possesses the capability to terminate virtual machine processes prior to initiating encryption, potentially evading security measures and sandbox environments.

Zyxel has acknowledged the attacks and released patches addressing CVE-2024-11667 and other vulnerabilities in firmware version 5.39 on September 3, 2024.

However, some organizations were compromised even after applying patches, likely due to failure to change administrative passwords or check for newly created accounts.

To mitigate the threat, organizations using Zyxel firewalls are strongly advised to:

Immediately update firmware to version 5.39 or later

Change all administrative passwords

Disable remote management access when not required

Implement strong network segmentation

Monitor for suspicious account creation and lateral movement activities

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar