Active Mirai Botnet Variant Exploiting Zyxel Devices for DDoS Attacks

Zyxel Devices for DDoS Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw in Zyxel gear to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Tracked as CVE-2023-28771 (CVSS score: 9.8), the issue relates to a command injection flaw impacting different firewall models that could enable an unauthenticated attacker to execute arbitrary code by sending a specially crafted packet to the device.

Zyxel addressed the security defect as part of updates released on April 25, 2023. The list of impacted devices is below –

  • ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
  • USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
  • VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and
  • ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1)

The Shadowserver Foundation, in a recent tweet, said the flaw is “being actively exploited to build a Mirai-like botnet” since May 26, 2023. Cybersecurity firm Rapid7 has also warned of “widespread” in-the-wild abuse of CVE-2023-28771.

In light of this development, it’s imperative that users move quickly to apply the patches to mitigate potential risks. Federal agencies in the U.S. are mandated to update their devices by June 21, 2023.

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Secure Your Seat

The disclosure also comes as Palo Alto Networks Unit 42 detailed a new wave of attacks mounted by an active Mirai botnet variant dubbed IZ1H9 since early April 2023.

The intrusions have been found to leverage multiple remote code execution flaws in internet-exposed IoT devices, including Zyxel, to ensnare them into a network for orchestrating distributed denial-of-service (DDoS) attacks.

It’s worth noting that Mirai has spawned a number of clones ever since its source code was leaked in October 2016.

“IoT devices have always been a lucrative target for threat actors, and remote code execution attacks continue to be the most common and most concerning threats affecting IoT devices and linux servers,” Unit 42 said.

“The vulnerabilities used by this threat are less complex, but this does not decrease their impact, since they could still lead to remote code execution.”



Original Source


 

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn