Three DDoS Botnets Attack Zyxel Devices at Once

DDos botnet and Zyxel
According to Fortinet, at least three DDos botnets are exploiting the CVE-2023-28771 vulnerability recently discovered in Zyxel hardware. Experts say the attacks are taking place in several regions, including Central America, North America, East Asia and South Asia.

Initially, the problem was found by TRAPA Security specialists and received a rating of 9.8 points out of 10 on the CVSS vulnerability rating scale.

This bug, fixed at the end of April, was related to incorrect error message handling in some versions of the firewall and allowed an unauthenticated attacker to “remotely execute commands by sending custom packets to a vulnerable device.”

The problem affected:

  1. ATP (ZLD V4.60 to V5.35, fixed in ZLD V5.36);
  2. USG FLEX (ZLD V4.60 to V5.35, fixed in ZLD V5.36);
  3. VPN (ZLD V4.60 to V5.35, fixed in ZLD V5.36);
  4. ZyWALL/USG (ZLD V4.60 to V4.73, fixed in ZLD V4.73 Patch 1).

Last month, the Shadowserver Foundation already warned that the vulnerability had been “actively exploited to create a Mirai botnet” since at least May 26, 2023.

As they now write in Fortinet, after the public release of the Metasploit module exploiting this vulnerability took place in June, attacks on CVE-2023-28771 became noticeably more frequent, and now several botnets have adopted the bug. Attacks now originate from multiple IP addresses and rely on scripts adapted to the MIPS architecture.

These attacks target a vulnerability in injecting commands into Internet Key Exchange (IKE) packets transmitted over UDP on Zyxel devices. Attackers use tools such as curl or wget to download scripts and take further action.the researchers report.

Among the botnets involved in this malicious activity, the researchers list Dark.IoT, which has existed since 2021, an unnamed Mirai botnet, and a DDoS-oriented botnet that Fortinet links to the Telegram group “SHINJI.APP | Katanabotnet“.

This campaign appears to be using multiple servers to launch attacks, updating every few days to maximize the compromise of Zyxel devices.the company warned.

You may also be interested in our colleagues’ article on how manufacturers deal with Frag Attacks problems.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Volodymyr Krasnogolovy

I'm a journalist, cybersecurity specialist, content manager, copywriter, and photojournalist. With a deep passion for cybersecurity and a diverse skill set, I'm excited to share my expertise through this blog. From researching the latest threats to crafting engaging narratives and capturing powerful visuals, I strive to provide valuable insights and raise awareness about the importance of cybersecurity.

Leave a Reply