Zyxel vulnerability exploited by 'Helldown' ransomware group

Description

The article details a cybersecurity incident where the "Helldown" ransomware group exploited a vulnerability in Zyxel firewall devices. The attackers gained administrator access to the firewall console, collected domain credentials, and compromised the infrastructure. They used VPN services to mask their origin and created additional users for persistent access. The threat actors employed tools like Advanced IP Scanner and Mimikatz for network discovery and credential theft. Multiple ransomware variants were deployed, encrypting both Windows and ESXi systems. The attack methodology included manual commands on the ESXi server to terminate VM processes before encryption. The article provides a comprehensive breakdown of the attack chain, including IP addresses, malware files, and MITRE ATT&CK techniques used by the Helldown group.