Posted on June 1, 2023 at 6:47 AM
Active Mirai Botnet Variant Exploits Zyxel Devices To Conduct DDoS Attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) has included a newly patched critical severity flaw in Zyxel gear to its catalog of Known Exploited Vulnerabilities (KEV). The agency noted that the security flaw was added to the list because of evidence of active exploitation by threat actors.
Active Mirai botnet exploits Zyxel devices to conduct DDoS attacks
The vulnerability in question is tracked as CVE-2023-28771, and it has a CVSS score of 9.8. The security issue is related to a vulnerability in the command injection that has affected a wide range of firewall models that could allow an unauthorized threat actor to run an arbitrary code when they send a specially crafted packet to the targeted device.
Zyxel has also addressed the vulnerability in question as part of the updates that it released in late April. The flaw has a massive reach, and it could cause massive damage to multiple devices if the flaw is exploited in the wild.
The devices that can be affected by this security include ATP, with the threat being present on versions ZLD V4.60 to V5.35 which was patched in ZLD V5.36. It also impacts the USG FLEX device from versions ZLD V4.60 to V5.35, which was patched in ZLD V5.36.
The security flaw will also affect VPN versions ZLD V4.60 to V5.35 that were patched in ZLD V5.36. Additionally, it also affects the ZyWALL/USG versions ZLD V4.60 to V4.74 that was patched in ZLD V4.73 Patch 1.
Vulnerability is being exploited in the wild
The Shadowserver Foundation has posted a recent tweet on this security vulnerability and the dangers that it poses to users.
At this stage if you have a vulnerable device exposed, assume compromise.
— Shadowserver (@Shadowserver) May 27, 2023
Zyxel advisory and patch info (2023-04-25): https://t.co/K3ORt8CFz7
Zyxel firewall device population (no vulnerability assessment) on our Dashboard: https://t.co/W4gzpW8w1V
The Shadowserver Foundation noted that the vulnerability was being actively exploited in the wild for the creation of a Mirai-like botnet since May 26, 2023. The report by Shadowserver confirmed the report made by CISA.
“Zyxel firewalls CVE-2023-28771 (pre-auth remote command OS injection) is being actively exploited to build a Mirai-like botnet. Internet-wide sweeps have been seen by over 700 of our IKEv2-aware honeypot sensors since May 26th. Exploit PoC is public, so expect an increase in attacks,” the tweet by the Shadowserver Foundation said.
The increased threat of the flaw being exploited in the wild has also been highlighted by the Rapid7 cybersecurity company. The company has warned that the CVE-2023-28771 is being exploited by malicious threat actors and poses a severe danger to users.
The report by Rapid7 said that as of May 19, there were at least 42,000 cases of Zyxel devices connected to the public internet. However, the researchers noted that the figure in question is only inclusive of the devices that have their web interfaces on the WAN exposed, which is not a default setting.
The flaw in question is present in the VPN service, which will be enabled automatically by default on the WAN. As such, researchers expect the actual number of devices that have been exposed and hacked to be significantly higher.
Following the myriad of warnings that have been shared by cybersecurity researchers about this vulnerability, it is crucial that users move with haste to install security patches that will mitigate any potential risks. US federal agencies are also required to install an update on their devices by June 21, 2023.
This disclosure also comes after a detailed report by Palo Alto Networks Unit 42. The company provided a detailed analysis of the attacks triggered by a variant of an active Mirai botnet known as IZ1h9 since the beginning of April this year.
The intrusions that have been enabled by this security flaw have been detected to have leveraged several remote code execution vulnerabilities within IoT devices that are exposed to the internet, with one of the affected ones being Zyxel. The flaws are being exploited to ensnare users into a network that will help conduct distributed denial-of-service (DDoS) attacks.
Mirai is one of the most notorious botnets in the industry. The botnet has spawned across a wide range of clones since the source code for the botnet was leaked in October 2016. The statement that was released by Unit 42 on the matter said that IoT devices had been a lucrative target for hackers.
Remote code execution attacks have now become increasingly popular, with the most concerning threats affecting IoT devices and Linux servers. The vulnerabilities that are now used by the threat have become less complex in nature, but the move does not lower the effects, and it could still result in remote code execution.