22 C
Monday, June 24, 2024

DDoS Botnets Exploiting Critical Flaw in Zyxel Devices Worldwide

Multiple DDoS Botnets Target Zyxel Devices, Experts Warn

Security researchers at Fortinet FortiGuard Labs have issued a serious warning about the increasing threat posed by various DDoS botnets, all taking advantage of a critical vulnerability in multiple Zyxel firewalls.

CVE-2023-28771: A High-Risk Command Injection Vulnerability

The vulnerability, designated as CVE-2023-28771 with a CVSS score of 9.8, represents a command injection flaw capable of allowing unauthorized attackers to execute arbitrary code on vulnerable Zyxel devices.

- Advertisement -

Vulnerable Firmware Versions and Attack Method

The flaw arises due to improper error message handling in several firmware versions, including ZyWALL/USG series, VPN series, USG FLEX series, and ATP series firmware. Cybercriminals can remotely trigger this vulnerability by sending specially crafted packets to the affected devices.

Zyxel’s Response and CISA’s Inclusion

Zyxel has taken action to address the vulnerability and issued patches to its customers in late April. The United States Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged the severity of this flaw by adding it to its Known Exploited Vulnerability Catalog.

Ongoing Exploitation and Mirai-Based Botnets

Rapid7 researchers have confirmed ongoing exploitation of CVE-2023-28771, with at least 42,000 instances of Zyxel devices exposed on the public internet as of May 19. This number is likely higher, as the vulnerability affects devices with default settings.

The Rampant Use of Mirai-Like Botnets

The vulnerability has become a prime target for building Mirai-like botnets, which are actively recruiting vulnerable Zyxel devices. Experts from Shadwserver have also observed the issue being exploited to build such botnets.

Global Attacks: Regions at Risk

Fortinet experts have observed attacks happening in various regions worldwide, including:

  • Central America,
  • North America,
  • East Asia,
  • and South Asia

The malicious activity has surged significantly since the exploit module’s publication.

Specific Targeting and Customized DDoS Attacks

Attackers are specifically targeting the command injection flaw transmitted via the Internet Key Exchange (IKE) packet over UDP on Zyxel devices. They are employing tools like curl or wget to download scripts for further malicious actions, indicating a highly specific target.

Katana Botnet Joins the Fray

Apart from the Mirai-based botnets, a botnet called Katana has also been exploiting the flaw. This botnet’s operators are actively maintaining and updating its methods to maximize their control over compromised Zyxel devices.

The Growing Risk to IoT Devices and Linux Servers

The presence of exposed vulnerabilities in Zyxel devices poses significant risks, allowing attackers to incorporate them into their botnets, thereby enabling additional attacks like DDoS assaults. Patching and updates are critical in mitigating this growing threat.


Also Read