Zyxel Users Still Hacked by DDoS Botnet Emerges as #1 Public Nuisance
Zyxel Users Still Hacked by DDoS Botnet Emerges as #1 Public Nuisance
Enlarge
Aurich Lawson/Ars Technica
Organizations that have yet to patch a Severity 9.8 vulnerability in network devices manufactured by Zyxel have become the #1 public nuisance as a significant number of them continue to be exploited and drawn into botnets that launch DDoS attacks.
Zyxel patched the flaw on April 25. Five weeks later, Shadowserver, an organization that monitors Internet threats in real time, warned that many Zyxel firewalls and VPN servers had been compromised in attacks that showed no signs of stopping. Shadowserver's assessment at the time was: "If you have a vulnerable device exposed, assume a compromise."
On Wednesday, 12 weeks since Zyxel delivered a patch and seven weeks since Shadowserver raised the alarm, security firm Fortinet released a study reporting an increase in exploit activity by multiple threat actors over the past few weeks. As was the case with the active compromises reported by Shadowserver, the attacks overwhelmingly came from variants based on Mirai, an open-source application used by hackers to identify and exploit common vulnerabilities in routers and other Internet of Things devices.
If successful, Mirai integrates the devices into botnets that can potentially launch distributed denial of service attacks of enormous sizes.
Increasing the urgency of patching the Zyxel vulnerability, researchers released exploit code in June that anyone could download and integrate into their own botnet software. Despite the clear and imminent threat, there are still enough vulnerable devices even as attacks continue to increase, Fortinet researcher Cara Lin said in Thursday's report. Lin wrote:
Since the release of the exploit module, there has been a sustained increase in malicious activity. Analysis conducted by FortiGuard Labs identified a significant increase in attack bursts starting in May, as shown in the trigger count graph shown in Figure 1. We also identified several botnets, including Dark.IoT, a variant based on Mirai, as well as another botnet that uses custom DDoS attack methods. In this article, we will provide a detailed explanation of the payload delivered via CVE-2023-28771 and related botnets.
Figure 1: Botnet attack activity.
Fortinet
The vulnerability used to compromise Zyxel devices, identified as CVE-2023-28771, is an unauthenticated command injection vulnerability with a severity rating of 9.8. The flaw can be exploited with a specially crafted IKEv2 packet to the device's UDP port 500 to execute malicious code. Zyxel's disclosure of the flaw is here.
CVE-2023-28771 exists in the default configurations of firewall and VPN devices from the manufacturer. They include Zyxel ZyWALL/USG series firmware versions 4.60 to 4.73, VPN series firmware versions 4.60 to 5.35, USG FLEX series firmware versions 4.60 to 5.35, and ATP series firmware versions 4.60 to 5.35.
Fortinet's Lin said that over the past month, attacks exploiting CVE-2023-28771 originated from separate IP addresses and specifically targeted the ability to inject commands into an Internet Key Exchange packet transmitted by Zyxel devices. Attacks are implemented using tools such as curl and wget, which download malicious scripts from servers controlled by the attacker.
Organizations that have yet to patch a Severity 9.8 vulnerability in network devices manufactured by Zyxel have become the #1 public nuisance as a significant number of them continue to be exploited and drawn into botnets that launch DDoS attacks.
Zyxel patched the flaw on April 25. Five weeks later, Shadowserver, an organization that monitors Internet threats in real time, warned that many Zyxel firewalls and VPN servers had been compromised in attacks that showed no signs of stopping. Shadowserver's assessment at the time was: "If you have a vulnerable device exposed, assume a compromise."
On Wednesday, 12 weeks since Zyxel delivered a patch and seven weeks since Shadowserver raised the alarm, security firm Fortinet released a study reporting an increase in exploit activity by multiple threat actors over the past few weeks. As was the case with the active compromises reported by Shadowserver, the attacks overwhelmingly came from variants based on Mirai, an open-source application used by hackers to identify and exploit common vulnerabilities in routers and other Internet of Things devices.
If successful, Mirai integrates the devices into botnets that can potentially launch distributed denial of service attacks of enormous sizes.
Increasing the urgency of patching the Zyxel vulnerability, researchers released exploit code in June that anyone could download and integrate into their own botnet software. Despite the clear and imminent threat, there are still enough vulnerable devices even as attacks continue to increase, Fortinet researcher Cara Lin said in Thursday's report. Lin wrote:
Since the release of the exploit module, there has been a sustained increase in malicious activity. Analysis conducted by FortiGuard Labs identified a significant increase in attack bursts starting in May, as shown in the trigger count graph shown in Figure 1. We also identified several botnets, including Dark.IoT, a variant based on Mirai, as well as another botnet that uses custom DDoS attack methods. In this article, we will provide a detailed explanation of the payload delivered via CVE-2023-28771 and related botnets.
Figure 1: Botnet attack activity.
Fortinet
The vulnerability used to compromise Zyxel devices, identified as CVE-2023-28771, is an unauthenticated command injection vulnerability with a severity rating of 9.8. The flaw can be exploited with a specially crafted IKEv2 packet to the device's UDP port 500 to execute malicious code. Zyxel's disclosure of the flaw is here.
CVE-2023-28771 exists in the default configurations of firewall and VPN devices from the manufacturer. They include Zyxel ZyWALL/USG series firmware versions 4.60 to 4.73, VPN series firmware versions 4.60 to 5.35, USG FLEX series firmware versions 4.60 to 5.35, and ATP series firmware versions 4.60 to 5.35.
Fortinet's Lin said that over the past month, attacks exploiting CVE-2023-28771 originated from separate IP addresses and specifically targeted the ability to inject commands into an Internet Key Exchange packet transmitted by Zyxel devices. Attacks are implemented using tools such as curl and wget, which download malicious scripts from servers controlled by the attacker.
Enlarge
Aurich Lawson/Ars Technica
Figure 1: Botnet attack activity.
Fortinet
