Multiple DDoS Botnets Target Zyxel Devices, Experts Warn
Security researchers at Fortinet FortiGuard Labs have issued a serious warning about the increasing threat posed by various DDoS botnets, all taking advantage of a critical vulnerability in multiple Zyxel firewalls.
CVE-2023-28771: A High-Risk Command Injection Vulnerability
The vulnerability, designated as CVE-2023-28771 with a CVSS score of 9.8, represents a command injection flaw capable of allowing unauthorized attackers to execute arbitrary code on vulnerable Zyxel devices.
Vulnerable Firmware Versions and Attack Method
The flaw arises due to improper error message handling in several firmware versions, including ZyWALL/USG series, VPN series, USG FLEX series, and ATP series firmware. Cybercriminals can remotely trigger this vulnerability by sending specially crafted packets to the affected devices.
Zyxel’s Response and CISA’s Inclusion
Zyxel has taken action to address the vulnerability and issued patches to its customers in late April. The United States Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged the severity of this flaw by adding it to its Known Exploited Vulnerability Catalog.
Ongoing Exploitation and Mirai-Based Botnets
Rapid7 researchers have confirmed ongoing exploitation of CVE-2023-28771, with at least 42,000 instances of Zyxel devices exposed on the public internet as of May 19. This number is likely higher, as the vulnerability affects devices with default settings.
The Rampant Use of Mirai-Like Botnets
The vulnerability has become a prime target for building Mirai-like botnets, which are actively recruiting vulnerable Zyxel devices. Experts from Shadwserver have also observed the issue being exploited to build such botnets.
Global Attacks: Regions at Risk
Fortinet experts have observed attacks happening in various regions worldwide, including:
- Central America,
- North America,
- East Asia,
- and South Asia
The malicious activity has surged significantly since the exploit module’s publication.
Specific Targeting and Customized DDoS Attacks
Attackers are specifically targeting the command injection flaw transmitted via the Internet Key Exchange (IKE) packet over UDP on Zyxel devices. They are employing tools like curl or wget to download scripts for further malicious actions, indicating a highly specific target.
Katana Botnet Joins the Fray
Apart from the Mirai-based botnets, a botnet called Katana has also been exploiting the flaw. This botnet’s operators are actively maintaining and updating its methods to maximize their control over compromised Zyxel devices.
The Growing Risk to IoT Devices and Linux Servers
The presence of exposed vulnerabilities in Zyxel devices poses significant risks, allowing attackers to incorporate them into their botnets, thereby enabling additional attacks like DDoS assaults. Patching and updates are critical in mitigating this growing threat.
