Cyber Security News

Helldown Ransomware Exploiting Zyxel Devices Using Zero-Day Vulnerability

A new ransomware threat dubbed “Helldown” has emerged, actively exploiting vulnerabilities in Zyxel firewall devices to breach corporate networks.

Cybersecurity researchers have uncovered evidence linking the Helldown ransomware group to a series of attacks targeting Zyxel firewalls, particularly those using IPSec VPN for remote access.

Evidence of Mullvad VPN being used (Source – Yarix)

The primary vulnerability being exploited is CVE-2024-11667, a directory traversal flaw in the web management interface of Zyxel ZLD firewall firmware versions 5.00 through 5.38.

Evidence of Nord VPN being used (Source – Yarix)
Evidence of Express VPN being used (Source – Yarix)

This high-severity vulnerability, with a CVSS score of 7.5, allows attackers to download or upload files through crafted URLs, potentially leading to unauthorized access and system compromise.

Helldown operators have demonstrated sophisticated tactics, leveraging both Windows and Linux variants of their ransomware.

Yarix analysts discovered that the Windows version, derived from the LockBit 3.0 code, employs advanced techniques such as deleting shadow copies and terminating critical processes before encryption.

While the Linux variant, while less sophisticated, is designed to target VMware ESXi servers, shutting down virtual machines prior to encryption.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Attack chain

The attack chain typically begins with exploiting Zyxel firewall vulnerabilities for initial access.

Evidence of firewall policies added by the threat actor (Source – Yarix)

Once inside, the threat actors create malicious user accounts and utilize tools like Mimikatz for credential dumping. They then move laterally within the network using RDP and other remote access tools.

Helldown’s double extortion strategy involves exfiltrating large volumes of sensitive data before encrypting files.

Victims are threatened with data leaks on the group’s dark web portal if ransoms are not paid. The ransomware has claimed at least 31 victims since August 2024, primarily targeting small to medium-sized businesses in the United States and Europe.

The Helldown ransomware employs XML-based configurations to guide its encryption tasks, demonstrating a structured approach to targeting data.

In its Windows variant, the malware utilizes hardcoded keys and performs administrator privilege checks, likely to ensure maximum impact and access.

Notably, the Linux version operates offline, showing no observed network communication, which may help it evade detection.

Additionally, Helldown possesses the capability to terminate virtual machine processes prior to initiating encryption, potentially evading security measures and sandbox environments.

Zyxel has acknowledged the attacks and released patches addressing CVE-2024-11667 and other vulnerabilities in firmware version 5.39 on September 3, 2024.

However, some organizations were compromised even after applying patches, likely due to failure to change administrative passwords or check for newly created accounts.

To mitigate the threat, organizations using Zyxel firewalls are strongly advised to:

  1. Immediately update firmware to version 5.39 or later
  2. Change all administrative passwords
  3. Disable remote management access when not required
  4. Implement strong network segmentation
  5. Monitor for suspicious account creation and lateral movement activities

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

New Device Code Phishing Attack Exploit Device Code Authentication To Capture Authentication Tokens

A sophisticated phishing campaign, identified by Microsoft Threat Intelligence, has been exploiting a technique known…

1 hour ago

RedMike Hackers Exploited 1000+ Cisco Devices to Gain Admin Access

Researchers observed a sophisticated cyber-espionage campaign led by the Chinese state-sponsored group known as "Salt…

3 hours ago

AMD Ryzen DLL Hijacking Vulnerability Let Attackers Execute Arbitrary Code

A high-severity security vulnerability, identified as CVE-2024-21966, has been discovered in the AMD Ryzen™ Master…

3 hours ago

PostgreSQL Terminal Tool Injection Vulnerability Allows Remote Code Execution

Researchers have uncovered a high-severity SQL injection vulnerability, CVE-2025-1094, affecting PostgreSQL’s interactive terminal tool, psql. …

4 hours ago

WinZip Vulnerability Let Remote Attackers Execute Arbitrary Code

A newly disclosed high-severity vulnerability in WinZip, tracked as CVE-2025-1240, enables remote attackers to execute…

8 hours ago

Hackers Actively Exploiting New PAN-OS Authentication Bypass Vulnerability

Palo Alto Networks has released a patch for a high-severity authentication bypass vulnerability, identified as…

9 hours ago