Helldown Ransomware Group Tied to Zyxel's Firewall Exploits

Firewall Vendor Warns Attackers Using Valid Credentials They Previously Stole Akshaya Asokan (asokan_akshaya) , Mathew J. Schwartz (euroinfosec) • November 19, 2024

Attackers wielding an emerging strain of ransomware called Helldown have been gaining a foothold in victims' networks by exploiting Zyxel firewalls, security researchers warn.

See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work

The Helldown operation has claimed 31 victims over the past three months, largely by using a Windows version of its crypto-locking malware, together with a data-leak site where it attempts to name and shame victims, French cybersecurity software company Sekoia said Tuesday.

Tactics tied to the ransomware group have included targeting a previously unknown flaw in Zyxel ATP firewalls, tracked as CVE-2024-42057.

"Compromising firewalls or VPN gateways is a common entry technique for ransomware groups, as it provides a foothold to an organization's systems through equipment that is often poorly monitored and ...