Multiple distributed denial-of-service (DDoS) botnets are targeting a vulnerability in Zyxel firewalls for which patches have been available since April, cybersecurity firm Fortinet reports.
Tracked as CVE-2023-28771 (CVSS score of 9.8), the issue is described as an improper error message handling bug leading to the remote execution of OS commands.
In April, Zyxel released ATP, USG FLEX, and VPN firmware version 5.36 and ZyWALL/USG firmware version 4.73 Patch 1 to patch the flaw. In early June, the manufacturer urged customers to update their firewalls, after a Mirai botnet variant was seen exploiting the bug in attacks.
Following the public release of a Metasploit module exploiting this vulnerability in June, malicious activity targeting the flaw has increased, with several DDoS botnets adding a CVE-2023-28771 exploit to their arsenal.
“These attacks specifically target the command injection vulnerability in the Internet Key Exchange (IKE) packet transmitted over UDP on Zyxel devices. The attackers utilize tools such as curl or wget to download scripts for further actions,” Fortinet says.
Originating from several distinct IP addresses, the observed attacks rely on scripts tailored for the MIPS architecture. The identified execution files, however, have been frequently updated, but display various similarities.
“It appears that this campaign utilized multiple servers to launch attacks and updated itself within a few days to maximize the compromise of Zyxel devices,” Fortinet says.
Some of the botnets seen engaging in this malicious activity include Dark.IoT, which has been around since 2021, a Mirai variant, and a third DDoS-capable botnet that was updated at the end of June and which Fortinet linked to a Telegram group called “SHINJI.APP | Katana botnet”.
“The presence of exposed vulnerabilities in devices can lead to significant risks. Once an attacker gains control over a vulnerable device, they can incorporate it into their botnet, enabling them to execute additional attacks, such as DDoS,” Fortinet points out.
Related: CISA Says Critical Zyxel NAS Vulnerability Exploited in Attacks
Related: Zyxel Patches Critical Vulnerability in NAS Firmware
Related: AndoryuBot DDoS Botnet Exploiting Ruckus AP Vulnerability
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
