DDoS Botnets Hijacking Zyxel Devices to Launch Devastating Attacks

Cyber Security Threat Summary:
Researchers at FortiGuard Labs have observed several distributed denial-of-service botnets exploiting a critical flaw in Zyxel devices to gain remote control of vulnerable systems. Tracked as CVE-2023-28771, the vulnerability is related to a command injection bug affecting multiple firewall models that could enable an unauthorized actor to execute arbitrary code via specially crafted packets sent to the targeted appliance. After successful exploitation, the compromised systems are corralled into a botnet capable of launching DDoS attacks on other targets. “This comprises Mirai botnet variants such as Dark.IoT and another botnet that has been dubbed Katana by its author, which comes with capabilities to mount DDoS attacks using TCP and UDP protocols” (The Hacker News, 2023). Based on the exploit traffic observed, the attacks have been identified to occur in multiple regions, including Central America, North America, East Asia, and South Asia

Security Officer Comments:
Although CVE-2023-28771 was addressed by Zyxel on April 25, 2023, Shadowserver Foundation reported on Twitter that the flaw is being exploited to build a Mirai-like bot since May 26, 2023, with cybersecurity firm Rapid7 also warning of widespread in-the-wild abuse of the flaw. Given the active exploitation attempts, it’s important that users update their devices to prevent potential compromise and the spawn of botnets like Mirai being used to launch mass-scale DDoS attacks.

Suggested Correction(s):
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.

If IoT devices must be used, users should consider segmenting them from sensitive networks.

Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.

Link(s):
https://thehackernews.com/2023/07/ddos-botnets-hijacking-zyxel-devices-to.html