Man
Professional
- Messages
- 3,093
- Reaction score
- 635
- Points
- 113
Cyber extortionists are paving a new path into corporate networks.
A new ransomware operation called Helldown is gaining momentum in cyberspace, which experts believe is exploiting vulnerabilities in Zyxel's firewalls to infiltrate corporate networks. According to the French company Sekoia, such attacks allow criminals to encrypt devices and steal data.
Since its launch in the summer of 2024, Helldown has been rapidly expanding the list of victims by publishing data about companies on its portal. To date, there are 28 victims, mainly small and medium-sized organizations from the United States and Europe.
Helldown was first documented by Cyfirma researchers on August 9, and later investigated by Cyberint in October. Of interest is the Linux version of the program, which targets VMware files. Its functionality is still only partially active, which indicates a possible stage of development.
The Windows version of Helldown, according to Sekoia, is based on the LockBit 3 leak and shares similarities with Darkrace and Donex. However, it has not yet been possible to establish a direct connection. Among the key victims is the European division of Zyxel, a provider of network solutions and cybersecurity tools.
Criminals are less selective in their approach to data than other groups, uploading literally everything. One of the leaks included up to 431 GB of information. Helldown encryptors work through command files, which emphasizes their lack of technological complexity.
During the investigation, Sekoia identified the use of the "OKSDW82A" account and the "zzz1.conf" configuration file to attack Zyxel devices with the vulnerable firmware 5.38. CVE-2024-42057, which was patched in September with the release of version 5.39, is believed to have been exploited.
Malware samples associated with Helldown were uploaded in October. Although their code turned out to be incomplete, experts are confident that they are related to the attack on Zyxel. Zyxel has not yet responded to journalists' requests for comment. However, on November 21, the company released a statement assuring that firmware version 5.39 protects against all known threats.
Source
A new ransomware operation called Helldown is gaining momentum in cyberspace, which experts believe is exploiting vulnerabilities in Zyxel's firewalls to infiltrate corporate networks. According to the French company Sekoia, such attacks allow criminals to encrypt devices and steal data.
Since its launch in the summer of 2024, Helldown has been rapidly expanding the list of victims by publishing data about companies on its portal. To date, there are 28 victims, mainly small and medium-sized organizations from the United States and Europe.
Helldown was first documented by Cyfirma researchers on August 9, and later investigated by Cyberint in October. Of interest is the Linux version of the program, which targets VMware files. Its functionality is still only partially active, which indicates a possible stage of development.
The Windows version of Helldown, according to Sekoia, is based on the LockBit 3 leak and shares similarities with Darkrace and Donex. However, it has not yet been possible to establish a direct connection. Among the key victims is the European division of Zyxel, a provider of network solutions and cybersecurity tools.
Criminals are less selective in their approach to data than other groups, uploading literally everything. One of the leaks included up to 431 GB of information. Helldown encryptors work through command files, which emphasizes their lack of technological complexity.
During the investigation, Sekoia identified the use of the "OKSDW82A" account and the "zzz1.conf" configuration file to attack Zyxel devices with the vulnerable firmware 5.38. CVE-2024-42057, which was patched in September with the release of version 5.39, is believed to have been exploited.
Malware samples associated with Helldown were uploaded in October. Although their code turned out to be incomplete, experts are confident that they are related to the attack on Zyxel. Zyxel has not yet responded to journalists' requests for comment. However, on November 21, the company released a statement assuring that firmware version 5.39 protects against all known threats.
Source
