According to Fortinet, at least three DDos botnets are exploiting the CVE-2023-28771 vulnerability recently discovered in Zyxel hardware. Experts say the attacks are taking place in several regions, including Central America, North America, East Asia and South Asia.
Initially, the problem was found by TRAPA Security specialists and received a rating of 9.8 points out of 10 on the CVSS vulnerability rating scale.
This bug, fixed at the end of April, was related to incorrect error message handling in some versions of the firewall and allowed an unauthenticated attacker to “remotely execute commands by sending custom packets to a vulnerable device.”
The problem affected:
- ATP (ZLD V4.60 to V5.35, fixed in ZLD V5.36);
- USG FLEX (ZLD V4.60 to V5.35, fixed in ZLD V5.36);
- VPN (ZLD V4.60 to V5.35, fixed in ZLD V5.36);
- ZyWALL/USG (ZLD V4.60 to V4.73, fixed in ZLD V4.73 Patch 1).
Last month, the Shadowserver Foundation already warned that the vulnerability had been “actively exploited to create a Mirai botnet” since at least May 26, 2023.
As they now write in Fortinet, after the public release of the Metasploit module exploiting this vulnerability took place in June, attacks on CVE-2023-28771 became noticeably more frequent, and now several botnets have adopted the bug. Attacks now originate from multiple IP addresses and rely on scripts adapted to the MIPS architecture.
Among the botnets involved in this malicious activity, the researchers list Dark.IoT, which has existed since 2021, an unnamed Mirai botnet, and a DDoS-oriented botnet that Fortinet links to the Telegram group “SHINJI.APP | Katanabotnet“.
You may also be interested in our colleagues’ article on how manufacturers deal with Frag Attacks problems.
