Multiple distributed denial-of-service (DDoS) botnets are targeting a vulnerability in Zyxel firewalls for which patches have been available since April, cybersecurity firm Fortinet reports.
Tracked as CVE-2023-28771 (CVSS score of 9.8), the issue is described as an improper error message handling bug leading to the remote execution of OS commands.
In April, Zyxel released ATP, USG FLEX, and VPN firmware version 5.36 and ZyWALL/USG firmware version 4.73 Patch 1 to patch the flaw. In early June, the manufacturer urged customers to update their firewalls, after a Mirai botnet variant was seen exploiting the bug in attacks.
Following the public release of a Metasploit module exploiting this vulnerability in June, malicious activity targeting the flaw has increased, with several DDoS botnets adding a CVE-2023-28771 exploit to their arsenal.
“These attacks specifically target the command injection vulnerability in the Internet Key Exchange (IKE) packet transmitted over UDP on Zyxel devices. The attackers utilize tools such as curl or wget to download scripts for further actions,” Fortinet says.
Originating from several distinct IP addresses, the observed attacks rely on scripts tailored for the MIPS architecture. The identified execution files, however, have been frequently updated, but display various similarities.
“It appears that this campaign utilized multiple servers to launch attacks and updated itself within a few days to maximize the compromise of Zyxel devices,” Fortinet says.
Some of the botnets seen engaging in this malicious activity include Dark.IoT, which has been around since 2021, a Mirai variant, and a third DDoS-capable botnet that was updated at the end of June and which Fortinet linked to a Telegram group called “SHINJI.APP | Katana botnet”.
“The presence of exposed vulnerabilities in devices can lead to significant risks. Once an attacker gains control over a vulnerable device, they can incorporate it into their botnet, enabling them to execute additional attacks, such as DDoS,” Fortinet points out.
Related: CISA Says Critical Zyxel NAS Vulnerability Exploited in Attacks
Related: Zyxel Patches Critical Vulnerability in NAS Firmware
Related: AndoryuBot DDoS Botnet Exploiting Ruckus AP Vulnerability
